000018882 - How to issue Encrypting File System (EFS) Certificates with Keon Certificate Authority

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000018882
Applies ToEncrypting File System (EFS)
Microsoft Windows 2000
Keon Certificate Authority
IssueHow to issue Encrypting File System (EFS) Certificates with Keon Certificate Authority
The user wishes to implement the native EFS facility available in the Windows 2000 operating system.  In order for users to encrypt files and folders they must have a Certificate issued for this purpose stored in their user profile either on the local machine or in the Active Directory Server. For further details on setting this up refer to the Microsoft Corporate web site.
ResolutionThe issued certificate needs to have a non critical "Extended Key Usage" extensions with the OID value of

To do this in KCA the Certificate Vettor or Administrator needs to do the following when issuing the end entity Certificate:
1. In the Certificate Operations workbench search and select the user that has requested the EFS Certificate.
2. Check over the user details as normal then select Custom in the Certificate Profile menu.
3. Under the available Certificate extensions select 'Extended Key Usage'
4. Proceed to the next screen by using the 'Issue' button.
5. Select the 'Non Critical' option and type '1' for number of OID's required, then select next.
6. In the OID field type in the following value :
Note: These instructions assume that the Certificate will be used for EFS only. As the Certificate extension used is non-critical it may also be used with additional extensions for other application purposes.

For details on issuing Certificates for EFS data recovery see also: How to issue EFS Recovery Agent Certificates with Keon Certificate Authority

Legacy Article IDa3990