Using a Certificate Authority for the Encrypting File Service

Article translations Article translations
Article ID: 223338 - View products that this article applies to.
This article was previously published under Q223338
Expand all | Collapse all


The Encrypting File System (EFS) is a feature of Windows 2000 that allows users to encrypt data directly on volumes that use the NTFS file system. It operates by using certificates based on the X.509 standard. If no Certificate Authority (CA) is available from which to request certificates, the EFS subsystem automatically generates its own self-signed certificates for users and default recovery agents.

There are several circumstances in which an organization may want to implement Certificate Authorities, as opposed to allowing EFS to generate its own self-signed certificates.


The following are some reasons why an organization might want to use a Certificate Authority for EFS certificate generation:
  • More flexible EFS recovery management. With a Certificate Authority infrastructure, it is possible for an organization to issue specific recovery certificates for dedicated recovery computers, rather than to domain controllers.
  • Centralized certificate management. Administrators can control the lifetime of issued EFS certificates, and can publish certificate revocation lists to control how long recovery certificates are valid.
  • Scalability. Certificate Authorities can be distributed throughout an organization, providing their own set of templates that define the types of certificates that can be issued at each level.
For additional information about EFS, see "Step-by-Step Guide to Encrypting File System (EFS)" on the following Microsoft Web site:


Article ID: 223338 - Last Review: October 26, 2007 - Revision: 3.4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
kbproductlink kbenv kbinfo KB223338

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from