Any way to switch between 2 certs issued by the same CA/template?

Oct 29, 2008 at 10:45 PM
I'd like to be able to use this tool to change the actively used cert but both certs have been issued by the same CA and use the same template.

Any way to do that?
Nov 27, 2008 at 8:50 PM
Thanks for asking, lalkin.  What reason would you have to change the actively used cert, if they're so similar?  Soon before the actively-used certificate expires, Windows will automatically renew it with either the same template or a superseding template.

However, if there's another reason to change the actively used cert (e.g. you want to enforce stronger RSA keys, you want to shorten/lengthen the validity period of the active cert, or something else we can measure), let's dig into it and we should be able to figure out a way to implement it.

I'd like to help if I can, but if the certs are truly "identical" it could be hard to figure out how to target one vs. another automatically.

Cheers, Mike
Nov 28, 2008 at 6:04 AM
I'm working on designing workflow for EFS tasks and one of them is the replacement of a cert in case the private key is compromised. Thus we would be issuing a new cert from the same CA.

Having worked with this tool (and EFS itself) for a bit now I've ran into a couple other things.

First, this tool seems to require admin access in Vista (it activates the UAC). That prevents a non-admin from using the tool.

Second, it would be nice if there was a way to have the tool (or a sister tool) list the available certs in the user's personal store. It would need to show the cert's thumbprint probably in addition to CA and template to distinguish similar certs. Then if the tool would let you choose one of the displayed certs to use it let one interactively control.

I realize this is not really the intended purpose of the tool (which is to migrate from self signed certs to CA issued ones I believe) but it would help make the tool a more general purpose EFS cert tool. Which is what I'm looking for I guess. =)

Thanks a lot for the work involved in this tool. We are using it here (Portland State University) and I \was very happy when I found it!
Nov 28, 2008 at 4:37 PM
Thanks for your feedback lalkin - this definitely helps me understand where you're headed, and where to aim more code improvements on my end.

Based on the scenario you're targeting, would it be fair to assume that the newest certificate from the same CA would be the one you'd like to see in the user's EFS configuration?  If we can make that assumption ("always use the newest qualifying cert"), I should be able to implement an extension to the logic that builds a collection of all qualifying certs, and chooses the one with the furthest-out Expiration Date.

I haven't done much testing of this tool on Vista, so to be honest I wasn't even thinking about UAC elevation problems.  I'll add that to my bug list, and add some trace logging to the areas where that might be occurring.

Currently the trace logging (at least in the v1.2 code) will list the certs that are being examined (including Friendly Name, Subject and Thumbprint), but it sounds like you don't just want an after-the-fact set of details logged, but want an interactive experience for end users to manually override the tool's potential selection.  I'll write up a feature description in the Issue Tracker - would you please add as much detail as you can think of to describe how you'd like the tool to behave (and how you'd like the end user to be guided)?  I'm not guaranteeing I'll be able to make the UI jump through the hoops necessary (I'm not exactly a coding guru), but I'll do my best to achieve the goals you're after.

Glad you're finding this useful - that was my secret hope, that someone would actually be willing/able to put this into production!  Sounds like we're pretty close to that goal.
Dec 4, 2008 at 5:26 PM
If the utility defaulted to the newest certificate that would take care of most situations I've come up with. I'm thinking using the Valid From property might be better than the expiration date. Expiration date would be fine as well, whichever is easier to grab.

With the above implemented the interactive feature would be less needed for me but still would be a nifty feature.