Windows – How to transfer a certificate from an account to another on Windows

certificateencryptionwindowswindows-server-2012windows-service

Long story short, I have some configuration file for a tool containing sensitive information and the client want them encrypted. I want to use EFS for this, but there is a problem : the account doing the installation (and so the encryption) can not be the same running the tool (the why are not important at this point), so here is my question :

Is there a way to transfer a certificate used for decryption from a user to another on the same computer on windows server 2012 ?

Thanks in advance

Best Answer

The easiest way to do what you want it probably to make use of the Encrypted File Sharing option present for EFS-encrypted files.

You can enable EFS file sharing in an encrypted file’s advanced properties, which you can access from the Advanced button on the General tab of a file’s properties. Before you can share an encrypted file, the file must obviously be encrypted. If a file is encrypted, you will notice that the Details button in the file’s Advanced properties is available. Pressing this button brings up the “Encryption Details for…” dialog box. (By the way, in Windows Vista this dialog box is titled “User Access to”). From this dialog box you can share an encrypted file with other users. The sharing of an EFS encrypted file is not an explicit privilege of the user account that encrypted the file and shared it with another user. For example, Jan may have encrypted the file and decided to share it with Katrien. Katrien on her turn may then have decided to share it with Wim. The only condition is that the user that you want to give access to an encrypted file has a valid EFS certificate that's stored either in the local certificate store on your PC or in Active Directory (if your machine is joined to an AD domain).

Alternately, yes, it is possible to "share" a user's EFS certificate with another user - by copying it between the users' personal certificate stores.

From the Select User dialog box, you can access the EFS user certificates that are stored in the Other People and Trusted People certificate containers of your personal certificate store. The Trusted People is a new XP and Windows 2003 certificate container. It contains the EFS certificates of all users that have ever encrypted a file from a particular machine. If your machine is a member of a Windows AD domain, you'll notice that the Find User… button is enabled. Pressing this button lets you access the EFS user certificates that are published in AD. Note that the EFS “Select User” dialog box will display only the valid EFS certificates. This means that the certificate must have the “Encrypting File System” purpose enabled in its properties, and also that the certificate must be valid and should not have expired. If you want to share encrypted files with people whose EFS certificate is not available in one of the above repositories, you can always import it manually into AD or your certificate store.

Related Topic