Hello all! I cannot get my EFS-certificate on a smart card to work and would appreciate any help. I've set the Local Security Policy to Require a smart card for EFS (I'm running Windows Server 2008 R2). When I try to encrypt a folder and choose Use an exiting smart card certificate I get this message: "No certificate available: No certificate meet the application..." - I got the certificate on the smartcard by creating a offline custom request (from a standalone Root CA that is trusted). - It includes the EKU Encrypting File System. - It's valid, trusted and I can reach the CRL (event though EFS apparently doesn't check CRL). - The certificate is populated in the Personal Store of my user account and indicates that I have the private key. What are the complete requirements for EFS certificate? What am I missing? Tom Aafloen, IT-security Consultant Onevinn AB

Besides the application policy you need to check the properties of your smart card template and make sure that the basic key usage allows encryption. Edit your certificate template and on the request handling tab check the Purpose is set to signature and encryption /Hasain

Since it's a Standalone CA I don't have templates, so everything has to be specified in the request itself. I already had the Key Usage Data encipherment and Key encipherment in the non-working certificate. What is the "signature and encryption" equivalance in a custom request? When I create my custom request I only enter/change the following: Subject: CN=TestKey Usage: Data encipherment and Key enciphermentExtended Key Usage: Encrypting File SystemCSP: Microsoft Base Smart Card Crypto ProviderKey size: 2048 But this is not enough...Tom Aafloen, IT-security Consultant Onevinn AB

Based on a sample certificate, Key Usage must be Key Encipherment only (0x20) Also, in a duplicate of Basic EFS, the following is enable: SMIMECapabilities I recommend that you request a basic EFS cert from an enterprise CA, use that as your certificate profile, and modify your request accordingly Brian

Based on a sample certificate, Key Usage must be Key Encipherment only (0x20) Also, in a duplicate of Basic EFS, the following is enable: SMIMECapabilities I recommend that you request a basic EFS cert from an enterprise CA, use that as your certificate profile, and modify your request accordingly Brian