Blog Post

Core Infrastructure and Security Blog
1 MIN READ

EFS Certificates may be recovered as CNG certificates when CAPI CSP is required

NoMoePwds's avatar
NoMoePwds
Icon for Microsoft rankMicrosoft
Jan 24, 2020

First published on TECHNET on Jan 23, 2012

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if you are recovering a Rivest, Shamir and Adleman (RSA) key for the Encrypting File System (EFS). EFS supports KSPs only for Elliptic Curve Diffie-Hellman (ECDH) keys.
A workaround for this problem is to specify the switch -csp “Microsoft Strong Cryptographic Provider” with certutil -importpfx to ensure that the key is recovered in the appropriate format.

Updated Feb 21, 2020
Version 3.0
No CommentsBe the first to comment