Original URL: | https://blogs.technet.microsoft.com/pki/2012/01/23/efs-certificates-may-be-recovered-as-cng-certificates-when-capi-csp-is-required/ |
Post name: | EFS Certificates may be recovered as CNG certificates when CAPI CSP is required |
Original author: | Kurt L Hudson MSFT |
Posting date: | 2012-01-23T14:07:32+00:00 |
If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if you are recovering a Rivest, Shamir and Adleman (RSA) key for the Encrypting File System (EFS). EFS supports KSPs only for Elliptic Curve Diffie-Hellman (ECDH) keys.
A workaround for this problem is to specify the switch -csp “Microsoft Strong Cryptographic Provider” with certutil -importpfx to ensure that the key is recovered in the appropriate format.
Comments: