Endpoint Encryption

I need a little help with the cert creation for file encryption of Removable Storage.  I really have not ever created a cert before, but I know how to do it and I was told that I can create a self-signed cert through IIS or MMC and use that.  My question is, by reading in the Removable Storage manuals the recovery cert for the users needs to be in the P7B format and does not contain the private key while a second copy needs to be kept in a secure place that does contain the private key...Correct?  Now, does the one with the private key need to be in the same P7B format because Windows would not let me save it in that format but only in the PKCS #12 (.pfx) format.  Is this corect?  

Next, what requirements are needed for the certs for the users?  It is a seperate cert from the recovery cert, correct?   Does each user need their own cert or do I create one and deploy it to all machines?  What format should it be in and does it need the private key?  I was guessing it does not need the private key but I just wanted to ask.  There is not alot of information on this in the manuals and I have never create any certs for this purpose and neither have the other two people on my team.  Any helpful information will be greatly appreciated.  Thanks. 

In the user package, you include the certificate exported in p7b format.  As it is included in the SEE-RS client package, it is the same one used for all your endpoints, and is an additional element against which all your files are encrypted.

The one you keep in a safe place is the same certificate, but with the private key included, and yes .pfx format is fine.

Essentially, the process should be to create a new cert with the file ecryption attribute, and any others you need.  Export one copy with the private key and lock away in a safe place.  Then export a second copy without the key in and include it in the SEE-RS client package.

Don't forget that the machine that you export these certificates from still holds the original cert in its cert store, which means this machine can decrypt any files ecrypted with the package you just created.  You need to either lock this machine away somewhere and audit any physical access to it, or delete the cert from its store.

Just to clarify, these steps focus on the Recovery certificate of SEE-RS only, and do not apply to the cert used for encypting the communications between client and server.