3 Replies Latest reply on May 10, 2010 4:24 PM by SeanKeeley

    EERM Recovery 'Allow User Certificate' Requirement


      Experimenting with EERM 3.2.4, I enabled the Allow User Certificate recovery option, however, when the client clicks the corresponding option during USB initialization, no certificates are available in the drop-down list. We use Entrust ESP and I have three certificates in the MS CAPI store, but presumably the certificates don't have the correct key usage flag(s) set.


      My existing certificates' key usage are

      1. a Key Encipherment (20) for EFS encryption
      2. another Key Encipherment (20) for Entrust encryption, and
      3. a Digital Signature (80) for verification.


      Is there documentation somewhere on the requirements for a certificate to be used by EERM?

        • 1. Re: EERM Recovery 'Allow User Certificate' Requirement



          I also having the same problem, i tried to use ms capi or pkcs#11 or identrust but my certificate did not show out. Anywan can assist?





          • 2. Re: EERM Recovery 'Allow User Certificate' Requirement

            I have raised a McAfee service request about this issue and got a response that contradicts this McAfee KB article.


            The response was that the certicate must have the Data Encipherment key usage flag. Frankly, I don't understand this requirement since it makes most existing certificates useless for EERM recovery. For example, a user's Windows EFS certificate would be a good candidate for recovery as it is tied to an individual Windows login ID, but it's a key encipherment certificate. Similarly a user's digital signature certificate would be another good candidate, but again, it doesn't have the data encipherment flag. I have confirmed via testing that neither of these types of certificates are acceptable for EERM Allow User Certificate recovery.


            As an aside, when we were intially deploying EEPC, we had some technical encryption questions of McAfee which they could not answer -- we were somewhat surprised (understatement) to be told that McAfee does not employ any cryptographers. I suspect this strange certificate usage requirement is a symptom of this.

            • 3. Re: EERM Recovery 'Allow User Certificate' Requirement

              Another Update: Service Request has been resolved, and the KB article updated. Currently both Key and Data Encipherment must be specified in order to use a certificate for recovery, but McAfee will look into supporting just Key Enchiperment in later releases, but no ETA.