User Certificates

Certificates with an object identifier of in the Enhanced Key Usage field of the certificates are valid for EFS user operations. If an enterprise CA is available, EFS automatically requests an EFS certificate for users the first time that they encrypt a file or a folder. When the request is approved, the certificate is issued and placed in the user's personal certificate store. If no CA is available, EFS generates an EFS certificate and places it in the user's personal certificate store. EFS operations require users to have a valid EFS certificate in their personal certificate store. If the EFS user certificate has expired, EFS ensures that a new certificate is issued for the user with a new public key pair the next time an EFS operation is performed for that user.

You can deploy Certificate Services to issue and manage certificates for EFS users. Certificates that are issued by enterprise CAs are based on certificate templates Certificate templates are stored in Active Directory, and define the attributes of certificate types to be issued to users and computers. There are many certificate templates, but only the following three certificate types support EFS user operations:

  • User

  • Administrator

  • Basic EFS

When a user has a valid certificate of one of these types, EFS uses it for EFS operations. Administrator and user certificates combine a number of certificate uses in one certificate, including EFS. A basic EFS certificate can be used for EFS operations only.

Enterprise CAs use ACLs for certificate templates to determine whether to approve certificate requests. By default, members of the Domain Admins and Domain Users security groups have Enroll permission for basic EFS certificates and user certificates. By default, members of the Domain Admins and Enterprise Admins security groups have Enroll permission for administrator certificates.

For more information about certificate templates, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.