Creating a self-signed certificate for use with BitLocker in Windows 10

Question

_{Sunday, May 29, 2016 3:11 AM}

I'm trying to create a self-signed certificate for use with Bitlocker, as per the TechNet guide titled "Using Smart Cards with BitLocker" (I can't post links here). When I load the certificate onto my smart card and try to add it as an unlock method for a drive, I get the error "A certificate suitable for BitLocker can't be found on your smart card." I think this is because I wasn't able to follow the instruction in the guide that enables the use of self-signed certificates, because **HKLM\Software\Policies\Microsoft\FVE **doesn't exist in Windows 10. Is there an equivalent entry? I should mention that this is a personal machine, and not connected to an active directory.

Here is the parameter file that I'm using.

[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 2048
HashAlgorithm = Sha256
Exportable = TRUE
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
ValidityPeriodUnits = 99
ValidityPeriod = Years

[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1 

All replies (2)

_{Tuesday, May 31, 2016 2:32 AM ✅Answered | 1 vote}

Have you checked this link below? I think this documentation is worthwhile to read. It supplies two conditions, you could choose the proper one.

PIVKey and BitLocker

https://pivkey.zendesk.com/hc/en-us/articles/205145033-PIVKey-and-Bitlocker

In addition, you mentioned that you couldn’t see HKLM\Software\Policies\Microsoft\FVE in Windows 10, you are right, I can’t see this key either. But we could create this FVE key and the SelfSignedCertificates key value. For more information please refer to this link below.

Scenario 13: Locking a Data Drive with a Smart Card

https://technet.microsoft.com/en-us/library/ee424307(WS.10).aspx

Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Regards

Please mark the reply as an answer if you find it is helpful.

If you have feedback for TechNet Support, contact [email protected]

_{Tuesday, May 31, 2016 8:47 AM}

I'm a bit embarrassed that I didn't think to just create the key and add entry anyway >_<

Thank you so much for your help!