Retired Microsoft Blog disclaimer
This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.
Original URL: https://blogs.technet.microsoft.com/pki/2012/01/23/efs-certificates-may-be-recovered-as-cng-certificates-when-capi-csp-is-required/
Post name: EFS Certificates may be recovered as CNG certificates when CAPI CSP is required
Original author: Kurt L Hudson MSFT
Posting date: 2012-01-23T14:07:32+00:00


If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if you are recovering a Rivest, Shamir and Adleman (RSA) key for the Encrypting File System (EFS). EFS supports KSPs only for Elliptic Curve Diffie-Hellman (ECDH) keys.

A workaround for this problem is to specify the switch -csp “Microsoft Strong Cryptographic Provider” with certutil -importpfx to ensure that the key is recovered in the appropriate format.


Share this article:

Comments:

Comments are closed.