EFS Certificates may be recovered as CNG certificates when CAPI CSP is required
Published Jan 24 2020 01:57 PM 764 Views

First published on TECHNET on Jan 23, 2012

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if you are recovering a Rivest, Shamir and Adleman (RSA) key for the Encrypting File System (EFS). EFS supports KSPs only for Elliptic Curve Diffie-Hellman (ECDH) keys.
A workaround for this problem is to specify the switch -csp “Microsoft Strong Cryptographic Provider” with certutil -importpfx to ensure that the key is recovered in the appropriate format.

Version history
Last update:
‎Feb 21 2020 05:47 AM
Updated by: