Microsoft Forefront Identity Management – Certificate Management (FIM CM 2010) – Migration/Upgrade

I can see that im getting many hits in my blog for the PKI category, so i decided to invest some time writing about one of my favorite PKI topic, which is Microsoft certificate management software FIM CM 2010.

This deployment guide is written to explain missing points on Microsoft FIM CM TechNet documentation .It also contains some explanations about the functions of FIM CM agents, and some explanation about the authorization model that FIM CM is using . No doubt that Microsoft internal staff admit that the security model that FIM CM is built on , is considered the most complex one.

Regarding installing FIM CM 2010, all steps are there in Microsoft TechNet portal and I will not go and repeat the steps required for installation. Instead I will highlight some key points.

Some organizations are already implementing the old product for identity management called CLM 2007 (Microsoft Certificate Lifecycle Management), and in my corporate we already have CLM 2007 FP1 in place. Now, FIM CM 2010 came and there is lack of documentation in Microsoft TechNet about how to upgrade your existing CLM to FIM. This is something I will be discussing in this Blog.


Who should be reading this 

This is level 400 documents and you should have good knowledge about Microsoft CLM 2007 and you should be familiar with technologies like Active Directory, Smart Cards and PKI fundamentals.


We will put some assumptions in this blog to make things easy to explain. First we have a current infrastructure in place serving any smart card or certificate enrollment requests (shown on the right side of figure 1). The old infrastructure consists of a server named (CA2003) acting as Microsoft Certificate Authority on Windows Server 2003 SP2.

On the other hand, we have the new infrastructure that we will migrate to. It consists of a new Windows Server 2008 R2 Certificate Services and a new FIM 2010 Certificate Management server running on Windows Server 2008 R2. The FIM2010 Server runs SQL 2008 R2 Standard Edition also.

I will be using FIM CM to refer to FIM2010 Server in this blog. I will be also using (old CA) and (new CA ) to refer to CA2003 and CA2008R2 respectively .


Migrating from CLM to FIM


Now, let us move to the difficult part which is migration from CLM 2007 to FIM 2010. Please consider the following assumptions:

  • There is an old CA 2003 in place called CA2003.
  • There is an old CLM 2007 server named CLM2007 using CA2003 for certificate services.
  • Users are enrolled for smart cards from a CLM profile template that uses the following certificate templates from CA2003:
    • Certificate template named (Corporate Encryption Template).
    • Certificate Template named (Corporate Signing Template).
  • There is a new CA2008R2 that will use the same certificate templates mentioned previously.
  • There is a new FIM CM 2010 server named FIM2010 using CA2008R2 for certificate services.


Approach for migration

So now we have users with smart card, each smart card contains signing certificate and encryption certificate. We need to migrate to FIM 2010 and frankly all you need to care about it the encryption keys or S/MIME certificates in other words. So why signing certificates are not that important? The answer is we can simply issue users new signing certificates and nothing will not be affected nor the smart card users will feel any difference. After all, you should not archive signing only keys for non-repudiation purposes.

So, what need to be done, is to enroll users smart cards with the following certificates on it :

  • New Signing Certificate from the new CA2008R2.
  • New Encryption (SMIME) certificate from the new CA2008R2.
  • All old encryption certificates from the old CA2003

After that we are going to revoke those old encryption keys on the old CA2003 so they can be used for decryption only operations.

Migration Steps

To do this, the following steps should be done:

  1. Export the old encryption keys from the old CA2003 CA.
  2. Configure the new CA2008R2 to accept External Certificates.
  3. Configure the CLMUtil.exe.config file located in the FIM CM server with OID of the (Corporate Encryption Template)
  4. Import those pfx files to the new CA2008R2 ( they will be shown as External Certificates in the CA console) and to the new FIM2010 server ( the encryption keys will be marked as external)
  5. Configure the FIM CM profile template for smart cards and includes the following certificate templates :
    1. Certificate template named (Corporate Encryption Template).
    2. Certificate Template named (Corporate Signing Template).
  6. Configure the same profile template to include X number of External Certificates.

Note : Corporate Encryption Template and Corporate Signing Templates are just my own example of two certificate templates  that issues encryption/signing certificates.


The following TechNet article contains step by step instruction to perform the import of external certificates.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s