Creating a self-signed certificate for BitLocker

To lock a BitLocker-secured drive using a GoldKey smart card, you must have a certificate that is valid for BitLocker, and self-signed certificates must be enabled for BitLocker.

Start by enabling self-signed certificates. Click Start and enter “regedit” into the Search programs and files box. Under the HKLM\Software\Policies\Microsoft\FVE key, create a new DWORD called “SelfSignedCertificates”, with a value of 1.

Using notepad or another text editor, save the following text as certrequest.txt on your desktop:

[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 1024
Exportable = TRUE
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1

Next, you will need to open the command prompt to create the certificate. Click Start and type “cmd” into the Search programs and files box. When the command prompt appears, right-click on its icon and select “Run as administrator.” From the command prompt, enter the following commands:

   cd %UserProfile%\Desktop
   CertReq -new certrequest.txt

You will be asked to save the request as a file; save it as certrequest.req on your desktop.

Open the Microsoft Management Console by entering “mmc” into the Search programs and files box. From the File menu, select “Add/Remove Snap-in,” and then add Certificates from the list on the left. You may be asked which account you would like to manage, select “My user account” and click Finish.

Under Certificates – Current User\Personal\Certificates you will find a new certificate called “BitLocker.” Right-click on this certificate and select Export from the All Tasks submenu, then follow the Certificate Export Wizard to save the certificate as BitLocker.pfx on your desktop.

Note: To export a certificate as a PFX file, you must export the private key.

Instructions to load a certificate onto a GoldKey from a PFX file can be found in the online manual.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please enter the answer: * * Time limit is exhausted. Please reload CAPTCHA.