How to generate a certificate for use in MicroSoft's Encrypting File System.

  • 3903248
  • 14-Feb-2007
  • 27-Apr-2012


Novell Certificate Server (PKIS) 3.1.1
Novell eDirectory 8.8 for All Platforms
Novell iManager 2.6


An organization has a need to use Novell eDirectory and Novell Certificate Server to mint user certificates specifically for use in MicroSoft's Encrypting File System. This need is based on eDirectory's ability to secure generate, store, distribute and revoke any number of certificates for use within that organization.


These certificates require an extension within them. This extension is known as the Extended Key Usage (EKU) of Encryping File System (EFS) of This is a MicroSoft specific EKU. It is not a standard X.509 EKU, however, RFC 3289 allows EKUs to be defined by any organization that has a need. Therefore, though MicroSoft's EKU is non-standard is still follows the RFC specification.

The iManager's Certificate Server plugin (plugin version 3.1 or higher) currently has the capability to set any standard EKU when creating certificates. Since MicroSoft's EFS EKU is not standard it must be set using the generic extension capability.

First the prerequisites:
1. eDirectory 8.8 or greater which also installs NICI 2.7 and PKIS 3.1.1.
2. iManager 2.6 or greater.
3. The Novell Certificate Server iManager plugin 3.1 or greater.

With these components in place we need to create a configuration file containing this extension information for when certificates are to be created. The easiest way is to copy the existing ASN.1 MicroSoft Encrypting File System EKU from an existing certificate. Below are the steps for perfoming this task. Steps 1-4 only have to be completed once.
1. Create the certificate using MicroSoft's Certificate Server.
2. Export the certificate as a der file. If exported as a pkcs12 file it should be a signed certificate. If a self-signed certificate is used please refer to KB 3903248 otherwise an Error: -1222 will result during the import process.
3. Import the der file created using the above TID or a pkcs12 file containing the certificate onto a your user object within eDirectory.
A. Login to iManager.
B. Go to the Novell Certificate Server role then to the Create User Certificate task.
C. Select your user object and click on Next.
D. The server we are on is currently selected. There is no need to change this. Give the certifcate a Nickname, Change the Creation method to Import then select Next.
E. Assuming this is a Der file, on the Specify Import File dialog select File type: CERT then browse to the file on the local file system. If it is a pkcs12 file the use the File type of PKCS12 and input the password with which it was orginally exported with. Then select Next the Finish. You should see a status of Success.
4. Now the ASN.1 extension data can be copied from the plugin to a file.
A. Select the Novell Certificate Access role then the User Certificates task.
B. Select your user object then click on the Nickname the certificate was given.
C. At the bottom of the page you should see the Extensions section. Click on Extended Key Usage. The DER encoded value is the information that needs to be cut and pasted into a text file (with a descriptive name such as msencrypt.cfg) on the local file system. This information should look like the following:

Now the user certificates containing this EKU can be created. Below are the steps to perform this task.
1. Using the Create User Certificate task under the Novell Certificate Server role in iManager select the server to create the kmo and input a Nickname. Select a certificate type of Custom.
2. On the next screen accept all defaults. Make sure the checkbox to Enable extended key usage is NOT set. There can only be a single EKU extension to a certificate and it will be provided by the previously created ASN.1 extension data file (IE., msencrypt.cfg). Just click Next.
3. At the bottom of the next page is the Custom Extensions section. This is where the extension data file is specified. Click New, browse to and select the extension file (IE., msencrypt.cfg) and click next. Since this certificate will not be used for secure email the No email address warning can be ignored.
4. Export the certificate. For security reasons only the user for whom the user certificate was created can do this. To test one can use their own user object to create a certificate for testing the export.
A. While logged in as that user select the User Certificates task under the Novell Certificate Access role.
B. Put a check mark to the left of the created certiticate and select Export. Accept all defaults then input a password to protect the exported certificate file.
C. Select to export the certificate into the browser then select to save to the disk. Give iManager a name and directory to store the file.

Now the certificate file can be used to import the certificate into Windows for use in MicroSoft's Encrypted File System.