Migrating from CLM 2007 to FIM 2010

Please consider the following assumptions:

  • There is an old CA 2003 in place called CA2003.
  • There is an old CLM 2007 server named CLM2007 using CA2003 for certificate services.
  • Users are enrolled for smart cards from a CLM profile template that uses the following certificate templates from CA2003:
    • Certificate template named (Corporate Encryption Template).
    • Certificate Template named (Corporate Signing Template).
    • There is a new CA2008R2 that will use the same certificate templates mentioned previously.
    • There is a new FIM CM 2010 server named FIM2010 using CA2008R2 for certificate services.

1.1 Approach for migration

So now we have users with smart card, each smart card contains signing certificate and encryption certificate. We need to migrate to FIM 2010 and frankly all you need to care about is the encryption keys or SMIME certificates in other words. So why signing certificates are not that important? The answer is we can simply issue users new signing certificates and nothing will not be affected nor the smart card users will feel any difference. After all, you should not archive signing only keys for non-repudiation purposes.

So, what need to be done, is to enroll users smart cards with the following certificates on it :

  1. New Signing Certificate from the new CA2008R2.
  2. New Encryption (SMIME) certificate from the new CA2008R2.
  3. All old encryption certificates from the old CA2003

After that we are going to revoke those old encryption keys on the old CA2003 so they can be used for decryption only operations.

1.2 Migration Steps

1. Export the old encryption keys from the old CA2003 CA.

2. Configure the new CA2008R2 to accept External Certificates.

3. Configure the CLMUtil.exe.config file located in the FIM CM server with OID of the (Corporate Encryption Template)

4. Import those pfx files to the new CA2008R2 ( they will be shown as External Certificates in the CA console) and to the new FIM2010 server ( the encryption keys will be marked as external)

5. Configure the FIM CM profile template for smart cards and includes the following certificate templates :

a. Certificate template named (Corporate Encryption Template).

b. Certificate Template named (Corporate Signing Template).

6. Configure the same profile template to include X number of External Certificates.

The following TechNet article contains step by step instruction to perform the import of external certificates.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s