|Applies To||Encrypting File System (EFS)|
Microsoft Windows 2000
Keon Certificate Authority
|Issue||How to issue Encrypting File System (EFS) Certificates with Keon Certificate Authority|
The user wishes to implement the native EFS facility available in the Windows 2000 operating system. In order for users to encrypt files and folders they must have a Certificate issued for this purpose stored in their user profile either on the local machine or in the Active Directory Server. For further details on setting this up refer to the Microsoft Corporate web site.
|Resolution||The issued certificate needs to have a non critical "Extended Key Usage" extensions with the OID value of|
To do this in KCA the Certificate Vettor or Administrator needs to do the following when issuing the end entity Certificate:
1. In the Certificate Operations workbench search and select the user that has requested the EFS Certificate.
2. Check over the user details as normal then select Custom in the Certificate Profile menu.
3. Under the available Certificate extensions select 'Extended Key Usage'
4. Proceed to the next screen by using the 'Issue' button.
5. Select the 'Non Critical' option and type '1' for number of OID's required, then select next.
6. In the OID field type in the following value :
Note: These instructions assume that the Certificate will be used for EFS only. As the Certificate extension used is non-critical it may also be used with additional extensions for other application purposes.
For details on issuing Certificates for EFS data recovery see also: How to issue EFS Recovery Agent Certificates with Keon Certificate Authority
|Legacy Article ID||a3990|