Force EFS to use V2 in stead of V1 cert?

Oct 21, 2008 at 2:24 PM
Edited Oct 21, 2008 at 2:25 PM

Is there also a way to force EFS to use the V2 certificate if it is installed after a V1 cert?
I tried using your utility in a test environment, and even though it worked perfectly in a situation where a V2 cert was installed after a self-signed cert, it did not do the trick when a V2 cert was installed after a V1 cert.

We are trying to move to a new situation where everyone uses the V2 EFS certificates

Oct 28, 2008 at 2:34 PM
I have found one rather unorthodox way myself:

Make sure you back-up the current certs (v1 and v2)
Delete the key value in HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash
Immediately after that run the utility "EFS Certificate Configuration Updater" (this tool then looks for the V2 cert and writes that thumbprint in the registry that was just deleted)
Run Cipher /U to update the FEK of all files to the new v2 cert
Nov 23, 2008 at 5:20 PM
Hi Jeoff, thanks for your feedback on this tool.  This is one of the easier features for me to implement - much easier than many of the other ideas I'd thought up for this tool.  It just took me a little while to find the time to sit down and re-familiarize myself with my code (I was surprised to find out it's been a year since I worked on this), and it meant that (to do this right) I have to implement command-line switches in the tool (so that you can specify whether to enforce the use of v2 certs only).

I hope this will still be useful to you, or at least that if you've already addressed the migration with your workaround (which isn't a bad approach either), maybe you could comment on whether the approach I'm taking would have met your requirements.

Thanks, Mike
Nov 24, 2008 at 9:13 AM
Hi Mike.. That would be a great new feature in your tool!
No we have not migrated our users to the V2 certs yet. It would take a lot more time to do that using my work around (even if I script the deletion of the registry key.. I'd prefer not to do that for all users).

Are you going to release a new version on codeplex?
Anyway thanks a bunch for looking into that!

Nov 28, 2008 at 5:54 PM
Hi Jeoff, yes I'm working towards a new release on Codeplex to address your suggestion.  Unfortunately I've hit a snag - at least on my own system, I'm seeing what looks like some access issue at the moment when I'm trying to actually update the Registry setting with the selected certificate's Hash value.

Would you be willing to try a debug build of the tool and let me know whether you're seeing the same issue, or if it's something isolated to just my system?  I really don't feel right about "releasing" a new version of this if the ultimate purpose (updating the registry with a better cert) doesn't succeed, and my only option right now is to do a lot of debugging at home to see if I can find the problem.

Thanks either way,
Nov 30, 2008 at 3:22 AM
Success - v1.2 has been released, and includes a command-line flag for migrating v1 certs as well. Thanks for your interest and responses.

You can grab either the Release build installer or the Debug build zip file here:
Jan 27, 2009 at 3:36 PM
Hi Mike!

With quite a delay I could finally test our new design in a test environment, including your updated utility and it work great!!
Now we can finally deploy our new PKI design in production.

Thanks a bunch for your help and work on this.