%3CLINGO-SUB%20id%3D%22lingo-sub-1128768%22%20slang%3D%22en-US%22%3EEFS%20Certificates%20may%20be%20recovered%20as%20CNG%20certificates%20when%20CAPI%20CSP%20is%20required%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1128768%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Jan%2023%2C%202012%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIf%20a%20Key%20Recovery%20Agent%20(KRA)%20certificate%20is%20stored%20in%20a%20Cryptography%20Next%20Generation%20(CNG)%20Key%20Service%20Provider%20(KSP)%2C%20the%20certutil%20-RecoverKey%20command%20will%20by%20default%20recover%20a%20key%20as%20a%20CNG%20certificate.%20This%20default%20behavior%20could%20cause%20an%20issue%20if%20you%20are%20recovering%20a%20Rivest%2C%20Shamir%20and%20Adleman%20(RSA)%20key%20for%20the%20Encrypting%20File%20System%20(EFS).%20EFS%20supports%20KSPs%20only%20for%20Elliptic%20Curve%20Diffie-Hellman%20(ECDH)%20keys.%20%3CBR%20%2F%3EA%20workaround%20for%20this%20problem%20is%20to%20specify%20the%20switch%20-csp%20%E2%80%9CMicrosoft%20Strong%20Cryptographic%20Provider%E2%80%9D%20with%20certutil%20-importpfx%20to%20ensure%20that%20the%20key%20is%20recovered%20in%20the%20appropriate%20format.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1128768%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TECHNET%20on%20Jan%2023%2C%202012%20If%20a%20Key%20Recovery%20Agent%20(KRA)%20certificate%20is%20stored%20in%20a%20Cryptography%20Next%20Generation%20(CNG)%20Key%20Service%20Provider%20(KSP)%2C%20the%20certutil%20-RecoverKey%20command%20will%20by%20default%20recover%20a%20key%20as%20a%20CNG%20certificate.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1128768%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EKurtHudson%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

First published on TECHNET on Jan 23, 2012

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if you are recovering a Rivest, Shamir and Adleman (RSA) key for the Encrypting File System (EFS). EFS supports KSPs only for Elliptic Curve Diffie-Hellman (ECDH) keys.
A workaround for this problem is to specify the switch -csp “Microsoft Strong Cryptographic Provider” with certutil -importpfx to ensure that the key is recovered in the appropriate format.