Retired Microsoft Blog disclaimer
This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.
Original URL:
Post name: EFS Certificates may be recovered as CNG certificates when CAPI CSP is required
Original author: Kurt L Hudson MSFT
Posting date: 2012-01-23T14:07:32+00:00

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if you are recovering a Rivest, Shamir and Adleman (RSA) key for the Encrypting File System (EFS). EFS supports KSPs only for Elliptic Curve Diffie-Hellman (ECDH) keys.

A workaround for this problem is to specify the switch -csp “Microsoft Strong Cryptographic Provider” with certutil -importpfx to ensure that the key is recovered in the appropriate format.

Share this article:


Comments are closed.