Please consider the following assumptions:
- There is an old CA 2003 in place called CA2003.
- There is an old CLM 2007 server named CLM2007 using CA2003 for certificate services.
- Users are enrolled for smart cards from a CLM profile template that uses the following certificate templates from CA2003:
- Certificate template named (Corporate Encryption Template).
- Certificate Template named (Corporate Signing Template).
- There is a new CA2008R2 that will use the same certificate templates mentioned previously.
- There is a new FIM CM 2010 server named FIM2010 using CA2008R2 for certificate services.
So now we have users with smart card, each smart card contains signing certificate and encryption certificate. We need to migrate to FIM 2010 and frankly all you need to care about is the encryption keys or SMIME certificates in other words. So why signing certificates are not that important? The answer is we can simply issue users new signing certificates and nothing will not be affected nor the smart card users will feel any difference. After all, you should not archive signing only keys for non-repudiation purposes.
So, what need to be done, is to enroll users smart cards with the following certificates on it :
- New Signing Certificate from the new CA2008R2.
- New Encryption (SMIME) certificate from the new CA2008R2.
- All old encryption certificates from the old CA2003
After that we are going to revoke those old encryption keys on the old CA2003 so they can be used for decryption only operations.
1. Export the old encryption keys from the old CA2003 CA.
2. Configure the new CA2008R2 to accept External Certificates.
3. Configure the CLMUtil.exe.config file located in the FIM CM server with OID of the (Corporate Encryption Template)
4. Import those pfx files to the new CA2008R2 ( they will be shown as External Certificates in the CA console) and to the new FIM2010 server ( the encryption keys will be marked as external)
5. Configure the FIM CM profile template for smart cards and includes the following certificate templates :
a. Certificate template named (Corporate Encryption Template).
b. Certificate Template named (Corporate Signing Template).
6. Configure the same profile template to include X number of External Certificates.
The following TechNet article contains step by step instruction to perform the import of external certificates.