Using the Correct Certificate Template for Client Certificates - 24 May 2007

Q: Can Encrypting File System (EFS) certificates and Web application client certificates conflict with one another? In our environment, we use EFS to secure the My Documents folder on laptops. We also have a key business partner whose extranet requires some of our users to install a client certificate for secure Web-based access to logistics information. One such user’s client certificate recently expired, so I deleted it and requested a new one from our business partner’s Certification Authority (CA). After the CA issued the new certificate, I installed it on the user’s workstation and everything appeared to be working fine. A short time later, however, I received a call from the user saying that he couldn’t access his encrypted My Documents folder. I knew I hadn't deleted the user’s EFS certificate, and I quickly confirmed that by using the Microsoft Management Console (MMC) Certificates snap-in. Luckily, we were able to recover the user’s files using the EFS Recovery Agent certificate. Apparently, the client certificate—rather than the EFS certificate that we provide through the domain—had encrypted the user's files. Is that possible, and if so, why? Aren’t certificate templates supposed to define what purposes a certificate can be used for?

A: It is possible for the client certificate to encrypt user files, and you're on the right track by thinking about certificate templates. Certificate templates define how a certificate can be used and should prevent what happened in your situation if used correctly. Windows workstations automatically request EFS certificates for users based on the Basic EFS template for protecting encrypted files. The only purpose the Basic EFS template allows is EFS certificate creation.

In your case, I think your business partner issued the user a certificate based on the User certificate template instead of the Authenticated Session certificate template. The User certificate template includes EFS, secure email, and client authentication among its purposes. After this certificate was installed, the workstation had two viable EFS certificates and began encrypting new files using your business partner’s EFS certificate. If any files on the workstation were created before you installed the new certificate, the user still would have been able to access them, even after you deleted the expired certificate.

There are two lessons to be learned from this situation. First, make sure you define data recovery agent certificates via Group Policy and back them up every time you use EFS. Second, administrators should avoid using the User certificate template to secure Web-based applications, especially for outside business partners such as your user. Instead, ask your business partners to issue certificates based on the Authenticated Session certificate template, which doesn't include EFS as one of its purposes. I also recommend looking into BitLocker Drive Encryption, which is a new feature in Windows Vista. I think BitLocker is far superior to EFS as an encryption solution for most laptop encryption needs. For more information about BitLocker, see the "Windows IT Pro" articles "Vista's BitLocker Drive Encryption," June 2007, InstantDoc ID 95673 and "Security Annoyances," February 2007, InstantDoc ID 94414.

For more information about EFS, see the "Windows IT Security" article "Take a Closer Look at EFS," September 2005, InstantDoc ID 47175. To read more about certificates, see the "Windows IT Security" article "Sharing Information Securely," October 2005, InstantDoc ID 47625.