For EFS to work, the file's encryptor must have a valid EFS user certificate, and the current EFS recovery policy must specify at least one valid recovery agent certificate. If available, EFS requests certificates from a Windows 2000 enterprise CA, but EFS does not require a CA to issue certificates. If an enterprise CA is not available, EFS automatically generates its own certificates to users and to default recovery agent accounts.
Certificates that EFS generates are self-signed rather than signed by a CA. Therefore, the certification path is the same as for root CA certificates, which are also self-signed. EFS certificates that are self-signed are identified by Windows 2000 as "not trusted" because the certifying authority does not have a certificate in the Trusted Root Certification Authorities store. Nevertheless, self-signed EFS certificates are valid for use by EFS. For more information about the certification path, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.
For more information about certificates, see "Cryptography for Network and Information Security" in this book. For more information about Windows 2000 Certificate Services and CAs, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.