Using Certificates with BitLocker

  • Article

Applies To: Windows 7, Windows Server 2008 R2

In Windows 7, smart card certificates can be used with BitLocker Drive Encryption to encrypt and decrypt data drives. The certificate may belong to a standard user that is using it to turn on BitLocker or unlock a BitLocker-protected drive or to an administrator that has been designated a BitLocker data recovery agent who is using the certificate to recover access to a BitLocker-protected drive.

Certificate attributes

The following key usage and enhanced key usage attributes are inspected by BitLocker before using the certificate to encrypt a drive with BitLocker. When you attempt to use a smart card to turn on BitLocker, BitLocker will automatically search the certificate store and will use a certificate that meets its criteria. If a certificate is not found and you believe that you should have a valid certificate, review the following attributes of your certificates to see why they were not used:

  • If a key usage attribute is present, it must be one of the following:

    • CERT_DATA_ENCIPHERMENT_KEY_USAGE

    • CERT_KEY_AGREEMENT_KEY_USAGE

    • CERT_KEY_ENCIPHERMENT_KEY_USAGE

  • If an enhanced key usage (EKU) attribute is present, it must be one of the following:

    • As specified in Group Policy or the default (1.3.6.1.4.1.311.67.1.1) if not specified

    • Any enhanced key usage object identifier supported by your certification authority (CA)

The BitLocker object identifier is set to 1.3.6.1.4.1.311.67.1.1 by default. We recommend that you use one of the following: the default BitLocker object identifier, the anyExtendedKeyUsage identifier (2.5.29.37.0), or an Encrypting File System (EFS) data recovery agent certificate. You can use Group Policy to change this value if, for example, you want to share an existing certificate with BitLocker. If the certificate belongs to a data recovery agent and is only used to recover BitLocker-protected data, it is recommended that it also have one of these attributes, but it is not mandatory. No certificate validation occurs when adding a data recovery agent to a drive.

Determination of duplicate certificates

BitLocker will consider a certificate to be a duplicate when the following fields are identical between the certificates:

  • Subject

  • Issuer

  • Subject Alternative Name

  • OID

Certificate renewal implications

If a certificate is renewed with a new key pair, only the most recent certificate will be displayed as a choice for BitLocker Drive Encryption. If a user is asked to choose a certificate but only a single certificate is listed, it is normally due to this situation. Both certificates are still present and valid on the smart card, but only the most recent can be selected. If a certificate is renewed with the same key pair after being used for BitLocker Drive Encryption, BitLocker will update the certificate protector the first time the drive is unlocked through the user interface. In this situation when unlocking a drive, BitLocker will search the smart card for a certificate matching the public key used for the certificate protector. If two or more certificates are found on the smart card, BitLocker will update the certificate protector's information with the most recent certificate information.