Fix Encrypting File System Refusing a New Cert After CA Migration

After migrating a Certification Authority to a new server, you try to issue a new Encrypting File System certificate, but Windows 11 refuses to accept it. The error typically appears as “The certificate cannot be used for EFS” or “The requested certificate template is not supported by this CA.” This happens because the original EFS certificate relied on a specific CA configuration and key archival settings that no longer match the new CA. This article explains why the migration breaks EFS certificate enrollment and provides the exact steps to fix it.

Why EFS Refuses a New Certificate After CA Migration

The Encrypting File System uses certificates that are tied to the issuing CA. When you migrate a CA to a new server, the CA database and the certificate templates move, but the key archival settings and CA exchange certificate may not transfer correctly. EFS requires that the CA can archive the private key. If the new CA does not have key archival enabled for the EFS template, or if the CA exchange certificate is missing or expired, the CA will reject the request. Additionally, the client machine still holds the old EFS certificate in the Personal store. Windows sees that a valid EFS certificate already exists and refuses to enroll a new one.

Steps to Remove the Old EFS Certificate and Request a New One

Follow these steps in order. You need local administrator rights on the client computer.

1. Open the Certificate Manager for the local machine
   Press Win + R, type certlm.msc, and press Enter. This opens the Certificate Manager for the computer account.
2. Navigate to the Personal store
   In the left pane, expand Personal and select Certificates. Look for any certificates with the Intended Purpose “Encrypting File System” or “File Recovery”.
3. Delete the old EFS certificate
   Right-click the old EFS certificate, select Delete, and confirm. Do not delete certificates issued by other CAs or that you still need for other purposes.
4. Verify the CA is reachable
   Open a Command Prompt as administrator and run certutil -ping -config “CA-Server\CA-Name”. Replace with your new CA server name and CA name. You should see “Ping completed successfully.” If the ping fails, check network connectivity and CA service status.
5. Request a new EFS certificate from the migrated CA
   In the Certificate Manager, right-click Personal, select All Tasks > Request New Certificate. Click Next twice. Select Active Directory Enrollment Policy. Under the EFS template, click Enroll. Wait for the enrollment to complete.
6. Confirm the new certificate appears
   Refresh the Personal > Certificates view. The new EFS certificate should appear with the correct CA name in the Issued By column.

If the EFS Template Does Not Appear in the Enrollment Wizard

The EFS template may not be published to the new CA. Open the Certification Authority snap-in (certsrv.msc), right-click Certificate Templates, select New > Certificate Template to Issue, and choose the EFS template. If the template is not listed, you must duplicate it first using the Certificate Templates Console (certtmpl.msc).

If the CA Rejects the EFS Request After Migration

Even after removing the old certificate, the CA may reject the new request. This usually points to a mismatch in key archival settings or a missing CA exchange certificate.

“The certificate cannot be used for EFS” Error

This error appears when the CA does not have key archival enabled for the EFS template, or the CA exchange certificate is not configured. On the new CA server, open the Certification Authority snap-in. Right-click the CA name, select Properties, go to the Recovery Agents tab, and ensure Archive the key is checked. If it is not, check it and restart the CA service. Then, in the Certificate Templates Console, right-click the EFS template, select Properties, go to the Request Handling tab, and set Allow private key to be exported to Yes. On the Issuance Requirements tab, clear CA certificate manager approval if it is enabled, unless your policy requires it.

“The requested certificate template is not supported by this CA” Error

The new CA may not have the correct template version. On the CA server, open the Certificate Templates Console (certtmpl.msc). Find the EFS template, right-click it, and select Properties. On the General tab, note the Template version. In the Certification Authority snap-in, right-click Certificate Templates, select New > Certificate Template to Issue, and choose the exact same version. If the version does not match, duplicate the template with a new version number and publish that instead.

EFS Certificate Still Not Enrolling After Fixing Template

If the template is published and key archival is enabled, but enrollment still fails, check the CA exchange certificate. On the CA server, open certlm.msc, go to Personal > Certificates. Look for a certificate with the Intended Purpose “Certificate Request Agent”. If it is missing or expired, renew it. You can use the command certutil -renew -CAexchange to regenerate the exchange certificate. After renewal, restart the CA service and try the EFS request again.

EFS Certificate Enrollment: Old CA vs Migrated CA

Item	Old CA	Migrated CA
CA exchange certificate	Present and valid	May be missing or expired
Key archival setting	Enabled for EFS template	Often disabled after migration
Template version	Matches the published template	May be a different version
Client old certificate	Exists in Personal store	Blocks new enrollment
CA certificate in trusted store	Trusted by client	Must be reissued and redeployed

You can now request and use a new EFS certificate from the migrated CA. After the new certificate is enrolled, encrypt a test file to verify it works. If you manage multiple clients, consider deploying the new CA certificate via Group Policy to avoid trust issues. A concrete tip: use certutil -store -silent my to list all Personal store certificates and confirm only the new EFS certificate is present before encrypting production files.