Win2k3 Server question

[Fx02]

Does anyone know how to generate a .pfx file in Win2k3 Server?

The steps would be nice.

 

[stash]

Maybe you could tell us what you want to do? What do you want to create a certificate for? SSL?

 

[Fx02]

I'm conducting a forensic examination on a machine that has EFS and I need to create a private key in .pfx format from the domain controller. Once I obtain this key, I can decrypt the files that are EFS encrypted.

 

[stash]

You can't just create a private key and have it decrypted files that are already encrypted. Those files were encrypted with a different key.

Are you talking about the recovery agent private key? If you specified a DRA, that key should already exist.

 

[Fx02]

We're going off track here, all I need to I know is "how to" generate a private key in .pfx format from a Windows2k3 Server. I'm not going to debate with you whether or not these files can be decrypted.

 

[stash]

Um, ok...?

Encrypt anything on the server. That will create a self-signed EFS key. Then open up mmc and add the cerfiticates snap in for the user account. Under personal, certificates, find the cert with intended purposes of Encrypting File System. Right click, choose all tasks, export. Say yes to exporting the private key.

Good luck using that private key to decrypt files that were encrypted with a different private key.

 

[Fx02]

Thanks for replying, but here's the $10Mil question:

Isn't the .pfx generated from the domain admin private key for the recovery agent suppose to be able to decrypt the files that was encrypted on the domain anyways? At least that how I thought it would work.

 

[stash]

Heh, now you want to talk DRA. Ok

You are right, the domain admin is the default DRA for an AD domain. So if you log in as the domain admin, you should be able to export the private key for his EFS certificate (there should already be an EFS certificate for that user).

Then go to the computer where the encrypted files are and log in as the domain admin. Import the private key and try to decrypt the files. If that doesn't work, you can try logging in as the local administrator on the client machine and import the domain admins' private key and decrypt.

Edit: just to add to that, the domain admin's cert should have an intended purpose of file recovery. So that way you can tell which one to export.

 

[Fx02]

Where do you find the certificates for the domain user. Does one need to be generated?

 

[stash]

Do you mean the certs for the user whose files you need to decrypt? Or the domain admin. The answer is basically the same for both. If you open the MMC and add the certificates snap-in for the user account you are logged in as, you will see the certs in the personal store.

So if you log into the machine with the encrypted files as the user that encrypted them, you should see the certs in his personal store. The EFS cert is automatically generated the first time a user encrypts a file. If the user is in a domain environment without a certificate server, his machine will generate a self-signed EFS certificate, and the domain admin's recovery thumbprint (along with any other DRA thumbprints, if specified) will be added.