To work with BitLocker, you need to issue certificates for encryption and device recovery.

Stage 1: Creating a file with certificate parameters for device encryption.

Stage 2: Creating a file with certificate parameters for device recovery.

Stage 3: Creating certificates. 

Creating a file with certificate parameters for device encryption

To create a file with the certificate parameters for device encryption:

  1. Open Notepad or any other text editor.
  2. Copy and paste the following information into the file.

[NewRequest]

Subject = "CN=BitLocker"

KeyLength = 2048

ProviderName = "Aktiv ruToken CSP v1.0"

KeySpec = "AT_KEYEXCHANGE" 

KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"

KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"

RequestType = Cert

SMIME = FALSE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.4.1.311.67.1.1

  1. Save the file with the name blcert.txt

Creating a file with certificate parameters for device recovery

To create a file with the certificate parameters for device recovery:

  1. Open Notepad or any other text editor.
  2. Copy and paste the following information into the file:

[NewRequest]

Subject = "CN=BitLocker DRA"

KeyLength = 2048

ProviderName = "Aktiv ruToken CSP v1.0"

Exportable = TRUE 

ExportableEncrypted = FALSE

KeySpec = "AT_KEYEXCHANGE" 

 KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"

KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"

RequestType = Cert

SMIME = FALSE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.4.1.311.67.1.2

  1. Save the file with the name bldracert.txt .

 Creating certificates

To create certificates:

  1. Open the command prompt.
  2. To create an encryption certificate, type certreq -new blcert.txt.  Insert the token and enter the PIN code.
  3. Save the certificate file.
  4. To create a recovery certificate, type certreq -new bldracert.txt. Insert the token and enter the PIN code.

  5. Save the received certificate file.
  6. In order to verify that the certificates have been successfully created, launch the Rutoken Control Panel and go to the tab Certificates. The list of certificates must contain BitLocker DRA and BitLocker certificates. Make sure that the BitLocker certificate is selected as the default one.

  7. Use the mmc console to check whether the certificates are registered in the personal storage.