Forefront Identity Management FIM CM / Smart Card Management (Level 400)

If you are a FIM CM Administrator, then part of your work is to manage smart cards using the FIM CM Portal.

It is so difficult to understand what will happen to the certificates in smart cards when performing smart card management tasks. This blog post will present a nice diagrams to show you what will happen in a nice way according to my own tests 🙂

The diagrams will use E to indicate an encryption certificate and S to indicate signing certificate.

  • PERM : mean permanent smart card
  • DUB : means duplicate smart card
  • REP: means replaced smart card
  • Red line across the certificate :means revoked certificate

Smart Card Replacement

Assumptions : FIM portal is configured with the following settings :

  • Workflow: Duplicate Revocation Settings : Not configured
  • Workflow: Revocation Settings:
    • Set old card or profile status to disabled
    • Revoke old certificates.
  • Workflow: General:
    • Re-issue archived Certificates.

Now, this is what will happen : If you have a smart card with E1 and S1 (Encryption and signing certificates inside the smart card) , and you happen to have a duplicate smart card (DUB) with of course E1 and S2 (the same encryption certificate but different signing certificate), then replacing the permanent smart card will do what the figure shows.

  • Upon replacing your permanent smart card, the encryption certificate E1 will be revoked on the permanent and duplicate smart card and the signing certificate on the permanent smart card will be revoked (S1) while the signing certificate on the duplicate smart card will not be touched.The final replacement card will contain a new signing certificate (S3) and a new encryption certificate (E2) and a copy of the old E1 encryption certificate to be used to decrypt any content that was encrypted using E1. New encryption though will be using the new E2. Note that you can always decrypt using a revoked certificate. The permanent card will be set to Disabled state if you configured the workflow revocation settings in FIM portal to (Set old card or profile status to disabled)
  • If you replace the duplicate smart card though, the opposite will happen.
  • If you now duplicate the replacement smart cared, a new signing certificate will be issued (S4) and the remaining is the same.

Note : Since signing certificates are not archived at the CA (this is what you should configure the CA to do), then you will always have a new signing certificate no matter what the operation you are doing to the smart card is.

SC_Management_dfgdfg33

Smart Card Retirement 

Scenario 1 : Retire a duplicate smart card 

1.     Revoke all certificates on the Duplicate Card – Duplicate smart card will not be anymore assigned to the user – smart card doesn’t have any certificates as they are deleted.

2.     Disable the permanent Smart Card (which will revoke all certificates on the card) –Permanent smart card will still assigned to the user –smart card still have certificates but are revoked so they can be used to recover encrypted files.

Scenario 1 : Retire a permanent card that has a duplicate smart card

1.     Revoke all certificates on the Permanent Card – Permanent Card will not be anymore assigned to the user – smart card doesn’t have any certificates as they are deleted.

1.     Disable the Duplicate Smart Card (which will revoke all certificates on the card) –Duplicate smart card will still assigned to the user –smart card still have certificates but are revoked so they can be used to recover encrypted files.

 

SC_Management_3333334443

Disable Smart Card

SC_Management_3232323

Duplicate Smart Card

FIM will recover the same Encryption certificates (if archived) and will always issue new signing certificates.

SC_Management_33234423

Online Update a Smart Card – Case 1

Assumptions:

User X is enrolled for two smart cards , in which one of them is Duplicate .The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action: Administrator performed online update for the PERM card and chooses (Certificate Content Change) and chooses to update only (Signing Certificate Template).

What will happen:

Online Update cannot be done fully from the administrator workstation. Thus , the (Update Initiator) will initiate the request of Online Update for a smart card , after this action is approved in a workflow as described in the management policy workflow ,the user will should logon to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card).The user then should insert his permanent smart card and choose to execute the first approved online update ,and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the encryption certificate non touched .But both signing certificates on the smart cards will be revoked and deleted and new ones issued and printed on the smart cards as shown on the figure below.

SC_Management_aaaaa

 

Online Update a Smart Card – Case 2

Assumptions:
User X is enrolled for two smart cards , in which one of them is Duplicate .The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action: Administrator performed online update for the PERM card and chooses (Certificate Content Change) and chooses to update only (Encryption Certificate Template).

What will happen:

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should logon to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card).The user then should insert his permanent smart card and choose to execute the first approved online update ,and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the signing certificates non touched .But the encryption certificate (E1) will be revoked and kept on the smart cards for recovery usage. Now, a new encryption certificates E2,E3 will be issued and printed on the cards as shown on the figure below.

The user will end up with two cards and with two encryption certificates E1 and E2 .To solve this ,you can now retire Smart card DUB (this will revoke and delete S2,E2) and then duplicate the PERM card .After all is done ,the DUB card will have ( S3,E2, and the revoked E1).

 

SC_Management_fgd54dgdrgd

 

Online Update a Smart Card – Case 3

Assumptions:
User X is enrolled for two smart cards , in which one of them is Duplicate .The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action: Now the administrator deleted the signing certificate from the profile template and initiated an online update of the smart card (doesn’t matter if it is the PERM card or the DUB card).

What will happen:

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should login to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card).The user then should insert his permanent smart card and choose to execute the first approved online update ,and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the signing certificates revoked and deleted .The encryption certificate is not touched.

SC_Management_sdsfsf

 

Online Update a Smart Card – Case 4

Assumptions:
User X is enrolled for two smart cards , in which one of them is Duplicate .The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action: Now the administrator deleted the Encryption certificate from the profile template and initiated an online update of the smart card (doesn’t matter if it is the PERM card or the DUB card).
What will happen:

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should logon to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card).The user then should insert his permanent smart card and choose to execute the first approved online update ,and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the Encryption certificates revoked and deleted .The signing certificates is not touched.

SC_Management_asdaa3

 

 

WOW.. That was a lot of info and testing ! hope you find it nice post 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s