Getting rid of my Certification Authority

J

justmark

Guest
We don't really use this anyway, although some people did, in the past. I

have to decomission the hardware on which the CA lives and for the near-term,

have decided to just not establish another.

I have a couple of questions: First of all, if somebody, somewhere, has an

encrypted folder (they all swear they don't, but I can't go poking around to

make sure), will they lose access to their files or will their files simply

become unencrypted when I decomission the CA?

Secondly, when I look at issued certificates, I see some of my server - most

notably, my DCs. I don't know exactly why they've requested certificates,

but what will happen to them if I decomission the CA?

Thanks for any advice!

Mark

 
B

Brian Komar \(MVP\)

Guest
inline...

"justmark" <justmark@discussions.microsoft.com> wrote in message

news:FEC616FF-D1C7-4242-96F8-9CE86F03E978@microsoft.com...<span style="color:blue">

> We don't really use this anyway, although some people did, in the past. I

> have to decomission the hardware on which the CA lives and for the

> near-term,

> have decided to just not establish another.

> I have a couple of questions: First of all, if somebody, somewhere, has

> an

> encrypted folder (they all swear they don't, but I can't go poking around

> to

> make sure), will they lose access to their files or will their files

> simply

> become unencrypted when I decomission the CA?</span>

If decommissions, and you have not maintained the KRA certificate and

private key or the DRA certificate and private key, they are out of luck.

Decommissioning a CA does not decrypt files.

<span style="color:blue">

> Secondly, when I look at issued certificates, I see some of my server -

> most

> notably, my DCs. I don't know exactly why they've requested certificates,

> but what will happen to them if I decomission the CA?</span>

They will fail for LDAP/SSL connections. You should remove all of the DC

certs

certutil -dcinfo DELETEALL

<span style="color:blue">

>

> Thanks for any advice!

> Mark </span>

 
J

justmark

Guest
"Brian Komar (MVP)" wrote:

inline...

<span style="color:blue">

> If decommissions, and you have not maintained the KRA certificate and

> private key or the DRA certificate and private key, they are out of luck.

> Decommissioning a CA does not decrypt files.</span>

Okay, then is there a way I can test this? For instance, can I stop a CA

service on the server to "simulate" removal of the CA? Something that I can

test and then if somebody screams (unlikely, but you never know), I can just

turn it back on and dig in further to help them get their stuff unencrypted?

<span style="color:blue">

> They will fail for LDAP/SSL connections. You should remove all of the DC

> certs

> certutil -dcinfo DELETEALL</span>

Running this on the CA will remove them and I'll be okay?

Thanks for the help,

Mark

 
B

Brian Komar \(MVP\)

Guest
You could just stop the service to simulate the removal.

ANd yes, you can run the command from the CA.

If there are multiple domains, the command must be run on one domain member

(does not have to be a CA) as a member of that domain for each domain

Brian

"justmark" <justmark@discussions.microsoft.com> wrote in message

news:5997212A-30DB-43B3-BAC9-69A6C872972D@microsoft.com...<span style="color:blue">

> "Brian Komar (MVP)" wrote:

>

> inline...

><span style="color:green">

>> If decommissions, and you have not maintained the KRA certificate and

>> private key or the DRA certificate and private key, they are out of luck.

>> Decommissioning a CA does not decrypt files.</span>

>

> Okay, then is there a way I can test this? For instance, can I stop a CA

> service on the server to "simulate" removal of the CA? Something that I

> can

> test and then if somebody screams (unlikely, but you never know), I can

> just

> turn it back on and dig in further to help them get their stuff

> unencrypted?

>

><span style="color:green">

>> They will fail for LDAP/SSL connections. You should remove all of the DC

>> certs

>> certutil -dcinfo DELETEALL</span>

>

> Running this on the CA will remove them and I'll be okay?

>

> Thanks for the help,

> Mark </span>

 
J

justmark

Guest
Thanks Brian!

Mark

"Brian Komar (MVP)" wrote:

<span style="color:blue">

> You could just stop the service to simulate the removal.

> ANd yes, you can run the command from the CA.

> If there are multiple domains, the command must be run on one domain member

> (does not have to be a CA) as a member of that domain for each domain

> Brian</span>

 
J

justmark

Guest
Hi Brian,

Just a followup question on this - I've turned off the CA service, but from

what I see, nothing has changed. Before doing that, I'd created a folder on

my desktop on my PC and put one file into it. I then encrypted the folder.

That's still encrypted and I can still open it. I went to the CA manager and

revoked (cease of operation) my new certificate (before I killed the service).

I'm just wondering how long I should expect it to take to show some reaction

to all of this? I want to test getting rid of my CA entirely but need to be

sure that if somebody actually has an encrypted folder, they'll know - then

I'll just turn the service back on and deal with it. But if what I've done

so far has no effect, I can't be sure about any of this.

Any advice would be very much appreciated!

Thanks,

Mark

"Brian Komar (MVP)" wrote:

<span style="color:blue">

> You could just stop the service to simulate the removal.

> ANd yes, you can run the command from the CA.

> If there are multiple domains, the command must be run on one domain member

> (does not have to be a CA) as a member of that domain for each domain

> Brian</span>

 
P

Paul Adare

Guest
On Wed, 30 Apr 2008 07:49:01 -0700, justmark wrote:

<span style="color:blue">

> Hi Brian,

>

> Just a followup question on this - I've turned off the CA service, but from

> what I see, nothing has changed. Before doing that, I'd created a folder on

> my desktop on my PC and put one file into it. I then encrypted the folder.

> That's still encrypted and I can still open it. I went to the CA manager and

> revoked (cease of operation) my new certificate (before I killed the service).

>

> I'm just wondering how long I should expect it to take to show some reaction

> to all of this? I want to test getting rid of my CA entirely but need to be

> sure that if somebody actually has an encrypted folder, they'll know - then

> I'll just turn the service back on and deal with it. But if what I've done

> so far has no effect, I can't be sure about any of this.

>

> Any advice would be very much appreciated!</span>

A couple of things here. First of all, have you checked to see if any EFS

certificates have actually been issued in the first place? Just because you

have or had a CA up and running, that does not mean that it has issued any

EFS certificates.

Secondly if you have issued EFS certificates are they based on the default

version 1 Basic EFS certificate template? If so then you really don't need

to worry about the CA being available as you won't have the private key of

any issued certificates archived.

Thirdly you need to understand how revocation works with EFS. The only time

that EFS will check for certificate revocation is when one is trying to

share an EFS encrypted file with another user. EFS will check to see

whether or not that user's certificate has been revoked. If it has been you

won't be able to share the encrypted file with that user. If you revoked

your EFS certificate you will be able to use it to encrypt new content as

long as it is still time valid and you'll be able to use it to decrypt

existing content forever.

You seem to be under the impression that their is a close tie-in with a CA

and EFS and there really is not.

--

Paul Adare

http://www.identit.ca

Computer problems? Have you checked the loose nut in front of the keyboard?

 
J

justmark

Guest
"Paul Adare" wrote:

<span style="color:blue">

> A couple of things here. First of all, have you checked to see if any EFS

> certificates have actually been issued in the first place? Just because you

> have or had a CA up and running, that does not mean that it has issued any

> EFS certificates.</span>

Hi Paul!

Well, my CA snapin tells me that I've issued several Basic EFS (EFS)

certificates to some of my users. They're assuring me that they have no

encrypted files anymore. I also have several Domain Controller certificates.

<span style="color:blue">

> Secondly if you have issued EFS certificates are they based on the default

> version 1 Basic EFS certificate template? If so then you really don't need

> to worry about the CA being available as you won't have the private key of

> any issued certificates archived.</span>

I think what you're asking is what I'm seeing - Basic EFS (EFS) is the type

issued in my Issued Certificates. I created a test folder on my PC and

encrypted the contents and it generated another of these for me. Admittedly,

I don't know much about this - the reason I'm asking such questions - the

whole process concerns me because two years ago (before my time so I don't

know the details) one of our users had encrypted files and something happened

and she was never again able to access them. When I remove the CA and

decommission this server, I don't want that to happen to me :-(

<span style="color:blue">

>

> Thirdly you need to understand how revocation works with EFS. The only time

> that EFS will check for certificate revocation is when one is trying to

> share an EFS encrypted file with another user. EFS will check to see

> whether or not that user's certificate has been revoked. If it has been you

> won't be able to share the encrypted file with that user. If you revoked

> your EFS certificate you will be able to use it to encrypt new content as

> long as it is still time valid and you'll be able to use it to decrypt

> existing content forever.

>

> You seem to be under the impression that their is a close tie-in with a CA

> and EFS and there really is not.</span>

You're right - I'm worried about this whole process and not sure how it ties

together. I need to get rid of the server hosting CA and need to clean up

anything in AD related to this CA's existence. If I just go in and uninstall

the CA and do a cleanup, I want to be sure that I won't cause a problem.

From what I hear, you don't think I'll have any issues?

Thanks,

Mark

 
You must log in or register to reply here.
Top Bottom