How to generate a master certificate for Symantec Endpoint Encryption Removable Storage 7.0.x with Microsoft enterprise root CA


Article ID: 177777


Updated On:


Endpoint Encryption


In Symantec Endpoint Encryption Removable Storage edition (SEE RS), you can configure a master certificate by installation setting or policy update. All files encrypted from that time forward will be encrypted under the master certificate's public key. This provides recovery of encrypted files should the certificate and/or password that the user used to encrypt the file be lost, revoked, or forgotten.

You have an existing PKI infrastructure with Windows 2003 enterprise CA. You want to know how you can generate a certificate to be used as a master certificate in SEE RS.


In a Windows 2003 enterprise CA environment, you can generate a user certificate (a certificate generated using user certificate template) and export it as PKCS #7 format (.P7B extension). SEE RS can then use it as a master certificate.

There are multiple ways to generate a user certificate. The steps below just show one of them. For other ways to generate user certificate, please refer to Microsoft on-line help or articles.

To generate and export a user certificate:
1. Log on to a computer in the domain as the user whose user certificate you want to generate.
2. Launch MMC, add Certificates snap-in for my user account.
3. Expand Certificates - Current User under Console Root in the left pane, right click Personal folder, then go to All tasks -> click Request new certificate...
4. Select User as certificate type, click Next.
5. Give it a friendly name, click Next.
6. Verify the details at the last screen and click Finish.
7. By default, Windows 2003 enterprise root CA is configured to automatically generate a user certificate upon receiving a request. So now, you should see a Certificates folder under Personal folder in the left pane.
8. Click the Certificates folder, in the right pane, you should see the user certificate that's just generated.
9. Right click the user certificate, go to All tasks -> click on Export....
10. Select No, do not export the private key, otherwise the option to export it as .P7B extension will be dimmed in the next screen. Click Next.
11. Select Cryptographic Message Syntax Standard - PKCS #7 Certificates (..P7B), then next.
12. Give it a descriptive file name, verify all the details and click Finish.

When you create a SEE RS client install package or configure a GPO for SEE RS, and you select Encrypt files with a master certificate, you can browse to the above created file.

Technical Information
Microsoft Technet, Public Key Infrastructure:

Request a certificate using a PKCS #10 or PKCS #7 file

Please note: it appears that a smart card with the private key corresponding to the master certificate is required to decrypt the files.