How do i get rid of an encryption certificate?


  • Server 2003 R2 (file server)
    Server 2003 Certificate server

    We have a user Cindy who when she encrypts a file on the server via a drive share, the certificate used is one that is revoked.
    We want to give her a new certificate.

    This is what we have tryed
    1) Cindy has logged onto the server directly, run certmgr and removed her certificates.
    2) Cindy then navigated to the crypto folder and deleted all entries there.
    3) She then requested a new certificate via cert mgr.
    4) She then logged into her workstation and encrypted a file on the file server.
    5) We looked at the certificate used and it was the old one.

    we did all the same as above for her local machine and that did not work either.
    we logged onto the certificate server and ran the Certificate manager. we found the particular certificate as a revoked certificate. The software does not allow deletion of a certificate.

    The real question is this.
       How do we control what certificate is used in an encryption scenario when a user encrypts a file through a file share onto a file server?

    We had a microsoft representative remote access our servers for two days and could not solve this issue.

    It is a simple question. I would be greatful to anyone who can shed some light on this issue. I have read just about every microsoft publication on how encryption works. But no documents i have found yet speaks unambiguously on how to "control" which certificate is used to encrypt a file.

    Thank You
    Jerry C

    • Edited by JerryCic Thursday, March 18, 2010 4:30 AM
    Wednesday, March 17, 2010 6:33 PM

All replies

  • Any Takers?
    Thursday, March 18, 2010 4:29 AM
  • Has anyone out there used EFS?
    Friday, March 19, 2010 6:25 PM
  • Hi,

    Please logon the server again with Cindy, run certutil -store -user MY and copy the output here for research.

    Based on my understanding, if server has got the latest CRL (or delta CRL), the revoked certificate will not be used.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 23, 2010 8:11 AM
  • Thank you for your reply!

    When Cindy logs into the file server and runs certutil -store -user MY , she gets this:

    When she logs onto her xp pro workstation and encrypts a file on that server via a share, she gets this certificate:

    Note the certificate used is different that the one(s) in the certutil picture.

    Also the one that gets used is revoked according to the certificate server.

    Thank you

    Jerry C


    Tuesday, March 23, 2010 5:23 PM
  • Hi,

    Are you using roaming profile? If roaming profile is not being used and you want to log onto the Windows XP computer to encrypt file, please run the command certutil on the Windows XP computer after you logon with Cindy.

    Meanwhile, please remember that you need to log off the Windows XP computer after you deleted the certificate.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, March 25, 2010 5:44 AM
  • Thank you for your attention.

    We are not using roaming profiles. Domain controller is server 2003, files server is different server 2003, certificate server is also different server2003.

    Here is the certutil result for when Cindy log's onto her XP Pro workstation:


    Ther certificate does not show up here either!!

    So my ultimate goal is to have four users able to access a set of encrypted files, but in order to do this, i need to add each one's encryption key's to each file. so that the file may be accessed by all.

    I cannot do this if i cannot find the particular certificate used when a user encrypts a file.

    Thank you for your continued interrest.

    Jerry Cic 

    Sunday, March 28, 2010 4:20 PM