2

Getting very close to decommissioning our old CA. The new CA is in place and happily issuing certificates and the old CA has had all the templates removed so no certificates will be issued.

My concern about the decommissiong process though is revoking "Basic EFS" certificates. It appears as if there have been several of these certificates issued in our domain and although the users in question are adamant they have no encrypted documents I take that with a pinch of salt. During the decomm the process is to set the CRL to a sutiable time frame and then revoke all certificates. As the "Basic EFS" does not support Autoenroll I am worried that there will end up being encrypted documents that we now cannot access.

Is there a method to ensure seamless transfer of EFS certificates from one CA to another? Or am I over complicating it and a new certificate will be issued when required by the new CA?

1 Answers1

1

You mention 'several' EFS certs have been issued. You can manually request new EFS certificates from your new CA for each of those users and delete them one at a time.

Byron C.
  • 747
  • 1
  • 7
  • 15
  • this is where i was sketchy about the process. would requesting a new efs certificate automatically decrypt those documents that were encrypted with the old cert? On closer inspection of our environment it looks like users, mainly IT, have requested them but been unable to implement encryption as no recovery agent cert had been issued. A scan of the files on the in question computers also led to no files showing as being encrypted so we proceeded anyway. –  Jun 13 '14 at 13:24