Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Help creating a recovery certificate for RS package

Created: 09 Nov 2012 | 4 comments

Hello,

I am getting stuck in the RS package wizard at the step for including a recovery certficate.  My understanding is that this is the only method to provide recovery of an encrypted file if the user has forgotten their password.  I have tried using certificates from my Windows 2003 server and my Win 7 client.  Which ever I choose, I get the following error:  "The certificate is invalid, blocked, or expired.  Please select another certificate."  I have verfied the the certificate is not expired.  I suspect I am following an incorrect process or missing a step when exporting this certficate.  I have been unable to get support from Symantec on this.  I am told that certficate generation is outside their scope of support.  Since this is an evaluation copy of the RS software, I will likely look for a different product if I cannot provide recovery service for my users with Symantec Endpoint RS.

Would someone who has successfully integrated the certificate with the package please provide a step by step guide on the process for creating this certificate?

Thank you.

Greg

Comments 4 CommentsJump to latest comment

SMLatCST's picture

While the RS Master Cert is very useful, you could potentially also use the WorkGroup Keys for file recovery (but this only applies if you are happy for all mambers of the same SEE workgroup to be able to decrypt each other's removable storage devices).

As far the the cert generation goes (and assuming you have a CA in your environment), you may find the below article useful.  While it states it is for v7.0, there is no difference in the certificate used and the same should be applicable to 8.* too:

http://www.symantec.com/docs/TECH95152

Once you have the certificate created and ready, you need to use the exported version without the private keys in the SEE-RS package creation.  The version with the keys should be safely locked away, with access to it audited.

More Cowbell's picture

Thanks for the response.  Yes, I was looking at the workgroup key as an alternative, but I am not sure how comfortable the users will be with having others able to decrypt their drives  (maybe worrying unneccessarily).  I was going to bring this to our leadership for weigh-in.

We are not running a CA and PKI though.  Not sure how daunting of a task it would be to set this up.  I have tried the 3rd party Cert from our Exchange installation and some self signed certificates from server and client with the same results for each.  I had read in a few posts that people were having success with self-signed, but I am not sure if I am doing something incorrect since I am unable to use any of them.

Greg

SMLatCST's picture

How are you generating this self-signed certificate, and what attributes does it have?

Note how the article I linked suggested creating a "user" certificate.  If you were to install the self-signed one you mentioned, where does install to in your certificate store?  According to the type of cert described in the article, it should appear under the "Personal" store for your user account.

Also, please refer to the installation guide (Appendix C) which gives the Key Usage requirements for the cert too.

More Cowbell's picture

The certificate that I am trying to use is not one that I am generating, but rather located in the Current User -> Personal -> Certificates location.  It is named for the login account and the listed Intended Purpose is Encrypting File System.  I assume this is created by Windows for file encryption accessible through the file properties -> Advanced... button -> Encrypt contents to secure data checkbox.

I am exporting this certificate as a .P7B using the wizard (no private key) and attempting to include it with the package generation and it is failing.

Revisiting the Appendix you reference above, I see that the key usage must be "key encipherment" but I don't believe this is editable unless I am generating the cert from my in house CA (which I don't have).  When I view the details of the certificate I see that the "enhanced key usage: field is set to Encrypting File System.  So this is likely where I am going wrong.  The key usage doesn't match the expectation from SEERS packaging tool.  Without a CA in my organization, I can't create the correct type of key either.  Unclear about how to acquire this specific type from a 3rd party CA too.  Each website I go to talks about purchasing/trialing an SSL cert but I don't see an option to specify "key encipherment" for key usage.

I am leaning more and more toward either using workgroup keys or finding a different encryption solution.

Thanks for your help.

Greg