FIM 2010 - CLMUtil Command-Line Tool

Applies To: Forefront Identity Manager 2010

CLMUtil is a powerful command-line tool in Microsoft® Forefront Identity Manager Certificate Management (FIM CM). CLMUtil is typically used to recover from synchronization errors that may occur between FIM CM and Certificate Authority (CA), to assist in manually configuring certificates, to display information, and update password and configuration information. CLMUtil can be used to perform the following:

  • Importing certificates written to the CA database but not to the FIM CM database due to a connection failure between the FIM CM and the SQL server hosting the FIM CM database.

  • Importing certificates issued prior to the FIM CM implementation.

  • Update the SQL database connection string.

  • Update the FIM CM Agent account password.

By default, CLMUtill.exe is installed in %Program Files%\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin.

The following topics describe CLMUtil configuration and commands:

  • CLMUtil Configuration File

  • CLMUtil Commands

  • Encrypting a Passphrase File with CLMUtil

CLMUtil Configuration File

CLMUtil.exe contains a configuration file, CLMUtil.exe.config. By default this file is installed in %Program Files%\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin and provides the default configuration information for CLMUtil. The following table shows the settings for CLMUtil.exe.config.

Settings for CLMUtil.exe.config

Setting Description

DatabasePath

Connection path to the SQL Server database. You can enter this as a database connection string or as a protected registry string from the Web.config file. It is recommended to use the protected registry string that is found in the Web.config file. This setting is required for all database modifiying commands.

<add key=”DatabasePath”
value=protected:Registry,DPAPI;
value:HKLM\SOFTWARE\Microsoft\Clm\v1.0\Server\WebUser\,DBConnectionString” />

DefaultCertificateTemplateOID

Object identifier for the default certificate template that CLMUtil should use for import. For example, 1.2.3.4. This setting is the default value that is used when CLMUtil cannot determine the OID of imported certificates by doing an Active Directory search on the certificate name. This should be used when a certificate template cannot be determined from the certificate template extension or if the certificate was issued by a 3rd party CA.

<add key=”DefaultCertificateTemplateOID”
value=”1.2.3.4” />

CertImportDebugFile

Local directory on the FIM CM server for storing debugging information about the import process. This value can be an empty string or a file with a non-existent path in order to disable debugging. For example, E:\Debug.txt, where e:\ is a non-existent drive. This setting is used by all CLMUtil commands but is not required. The CLMUtil.exe.config file seems to imply that it is required for –syncrequest and –importpfx but this is not the case.

<add key=”CertImportDebugFile”
value=”e:\debug.txt” />

ImportPfxSuccessDirectory

Local file on the FIM CM server for storing import successes for the importpfxbatch command only. For example, E:\Success.

<add key=”ImportPfxSuccessDirectory”
value=”e:\Success” />

ImportPfxReportFileName

Local file on the FIM CM server for storing import reports for the importpfxbatch command only. For example, E:\Success\Report.txt. This report includes file name, time of processing, and import success status.

<add key=”ImportPfxReportFileName”
value=”e:\Success” />

Important

Before you use CLMUtil, you must update the CLMUtil.exe.config to specify your database path and the default certificate template object identifier. If this object identifier is not valid, or does not correspond to an actual certificate template object identifier, certificates that you import by using the importpfx command, or commands derived from it, cause CLMUtil to display unknown certificate template names for imported certificates. Configuring other settings is optional.

CLMUtil Commands

The following topics describe the CLMUtil commands:

  • Formatting legend for the CLMUtil command syntax

  • addca

  • decodedpapi

  • deleterequest

  • dispsdaccess

  • dispsdadobject

  • encodedpapi

  • genkey

  • importpfx

  • importpfxbatch

  • listca

  • omitcertificateduringrecovery

  • removeca

  • setacctpwd

  • setdbconn

  • sync

  • syncrequest

Formatting legend for the CLMUtil command syntax

The table below shows the formatting legend for the CLMUtil command syntax.

Important

Unless you add a dash (-) before some CLMUtil commands and parameters, CLMUtil does not process your command. Throughout this document, we have marked the commands and parameters that require that you add an em dash.

Formatting for the CLMUtil command syntax

Format Meaning

Italic

Information that the user must supply.

Bold

Elements that the user must type exactly as shown.

Ellipsis (…)

Parameter that can be repeated several times in a command line.

Between brackets([])

Optional items.

Between braces ({}); choices separated by pipe (|).

Example: {even|odd}

A set of choices from which the user must choose only one.

addca

Allows you to add or update a 3rd party CA connector registration.

Syntax
CLMUtil -addca AssemblyQualifiedName -name CaName -server ServerName [-templates TemplateList] [-config data]

addca Parameters

Parameter Description

AssemblyQualifiedName

The assembly qualified name of a .NET type that implements ICertificateServer interface.

-name CaName

The name of the 3rd party Certificate Authority.

-server ServerName

The FQDN of the server that is running the 3rd party Certificate Authority.

-templates TemplateList

The comma-separated list of certificate templates (common names) that can be used to request certificates from the given 3rd party CA. Omitting this parameter signifies that all certificate templates can be used to request certificates.

-config data

The free-form configuration string passed to the connector during the initialization phase. This string cannot be longer than 256 characters.

addca Examples

Example Description

ClmUtil -addca "Microsoft.Test.Connector, TestConnector" -name TestCA -server server.domain.com -templates User,SmartCardLogon -config "c:\text.xml"

Registers a new 3rd party CA connector implemented by the Microsoft.Test.Connector type in the TestConnector assembly. The CA name is TestCA and the server name is server.domain.com. Two certificate templates (User and SmartCardLogon) would be available for certificate issuance from this CA. The initialization string is located in "c:\text.xml".

ClmUtil -addca "Microsoft.Test.Connector, TestConnector" -name TestCA -server server.domain.com

Registers a new 3rd party CA connector implemented by the Microsoft.Test.Connector type in the TestConnector assembly. The CA name is TestCA and the server name is server.domain.com. All certificate templates that are present in Active Directory would be available for certificate issuance from this CA. No initialization string is provided. This could also be used to update the existing 3rd party CA connector registration. (See the first example.) Now all certificate templates that are present in Active Directory would be available for certificate issuance from this CA.

ClmUtil -addca "Microsoft.Test.Connector, TestConnector" -name TestCA -server server.domain.com -templates User,SmartCardLogon,Email -config "c:\text.xml"

Updates existing 3rd party CA connector registration. (See the first example). One additional certificate template (Email) would be available for certificate issuance from this CA.

decodedpapi

Decode using DPAPI (Data Protection Application Programming Interface) with the current machine's key. The data is given by In and is output to Out. If Out is omitted from the command line then the output goes to the console; otherwise it is written to the file.

Syntax
ClmUtil [Options] -decodedpapi In [Out]

decodedpapi Options

Option Description

-base64 [on|off]

Base64 encoding/decoding on or off. The default is on.

-file

The In argument is a path to a file. Default.

-inline

The In argument is the string to decode.

decodedpapi Parameters

Parameter Description

In

Represents the encrypted source that should be used as input. This can be an encrypted string entered manually in the command prompt window or it can be read from a file.

Out

Represents how the CLMUtil should display or store the output. If you do not specify a value for Out, CLMUtil will display the output in the command prompt window.

decodedpapi Examples

Example Description

CLMUtil -inline -decodedpapi AQAAANCMnd8BFdERjHOAWE/Cl+SB aAAAGS0RYSpNXEGp+AXDWytlvAQA AAACAAAAAAADZgAAqAAAADcxzAMil VQ8wLJMPeVD4tsAAAAAASAAACgAAA AEAAAAC0h7Hr13YXYyUZ0FVzd3OCY AAAA8YiBvdQ62HLruxiVeYkq+S8slrxY ZZNTFAAAALV6tEE7yHVkT0FBTF4RGi Qw4N1i

Decrypts the encrypted text string in the command prompt window.

CLMUtil -inline -decodedpapi AQAAANCMnd8BFdERjHOAWE/Cl+SB aAAAGS0RYSpNXEGp+AXDWytlvAQA AAACAAAAAAADZgAAqAAAADcxzAMil VQ8wLJMPeVD4tsAAAAAASAAACgAAA AEAAAAC0h7Hr13YXYyUZ0FVzd3OCY AAAA8YiBvdQ62HLruxiVeYkq+S8slrxY ZZNTFAAAALV6tEE7yHVkT0FBTF4RGi Qw4N1i c:\decode\decode.txt

Decrypts the encrypted text string to a text file named decode in a directory called decode.

CLMUtil –file c:\encode\encode.txt c:\decode\decode.txt

Decrypts the encrypted text string located in a file named encode.txt and decrypts it to a file named decode.txt.

deleterequest

Deletes a request from the specified CA and the associated certificate in the FIM CM database. Only requests external to FIM CM can be deleted from the CA and the FIM CM database.

Syntax
ClmUtil [Options] -deleterequest CAMachine RequestId

deleterequest Options

Option Description

-test

Specifies that CLMUtil should display the output only and not execute the delete request.

Warning

It is recommended that you run the deleterequest command with the test parameter before deleting requests.

-ca

Deletes a request from a CA only.

-clm

Deletes a certificate from the FIM CM database only.

-both

Deletes a request from the CA and the associated certificate from CLM. This is the default setting.

deleterequest Parameters

Parameter Description

CAMachine

Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error.

RequestID

Represents the request ID for a specific request.

deleterequest Examples

Example Description

ClmUtil -test -deleterequest testpc.mydomain.com\TestCA 14

Displays information on what will be deleted from the CA and FIM CM.

ClmUtil -deleterequest testpc.mydomain.com\TestCA 14

Deletes the certificate from the FIM CM Certificates table for request 14 in the testpc.mydomain.com\TestCA Certificate Authority and also deletes the request from the Certificate Authority.

ClmUtil -clm -deleterequest testpc.mydomain.com\TestCA 27

Deletes the certificate from the FIM CM Certificates table for request 27 in the testpc.mydomain.com\TestCA Certificate Authority. If the request exists in the Certificate Authority it will NOT be deleted.

ClmUtil -ca -deleterequest testpc.mydomain.com\TestCA 31

Deletes the request from the testpc.mydomain.com\TestCA Certificate Authority with request identifier 31. If the certificate for this request exists in the FIM CM Certificates table it will NOT be deleted.

dispsdaccess

Displays access information for a security descriptor.

A security descriptor contains the security information associated with a securable object. All named Windows® objects are securable objects. Some unnamed objects, such as process and thread objects, can have security descriptors, also.

For more information about security descriptors, see Security Descriptors and Access Control Lists Technical Reference (https://go.microsoft.com/fwlink/?LinkId=88418).

Syntax
ClmUtil –dispsdaccess InputString

dispsdaccess Parameters

Parameter Description

InputString

Represents a security descriptor.

dispsdaccess Examples

Example Description

CLMUtil -dispsdaccess O:BA

Displays information for the O:BA security descriptor. O:BA designates the built-in administrator account.

dispsdadobject

Displays security descriptor for an Active Directory object.

A security descriptor contains the security information associated with a securable object. All named Windows® objects are securable objects. Some unnamed objects, such as process and thread objects, can have security descriptors, also.

For more information about security descriptors, see Security Descriptors and Access Control Lists Technical Reference (https://go.microsoft.com/fwlink/?LinkId=88418).

Syntax
ClmUtil –dispsdadobject InputString

dispsdadobject Parameters

Parameter Description

InputString

Represents an object in Active Directory.

dispsdaccess Examples

Example Description

CLMUtil –dispsdadobject “LDAP://CN=Britta Simon,OU=FIMCMUsers,DC=contoso,DC=com”

Displays access information for user Britta Simon in the Contoso domain.

encodedpapi

Encode using DPAPI (Data Protection Application Programming Interface) with the current machine's key. The data is given by In and is output to Out. If Out is omitted from the command line then the output goes to the console; otherwise it is written to the file.

Syntax
ClmUtil [Options] -encodedpapi In [Out]

encodedpapi Options

Option Description

-base64 [on|off]

Base64 encoding/decoding on or off. The default is on.

-file

The In argument is a path to a file. Default.

-inline

The In argument is the string to decode.

encodedpapi Parameters

Parameter Description

In

Represents the source that should be used as input for encryption. This can be a string entered manually in the command prompt window or it can be read from a file.

Out

Represents how the CLMUtil should display or store the output. If you do not specify a value for Out, CLMUtil will display the output in the command prompt window.

encodedpapi Examples

Example Description

CLMUtil -inline -encodedpapi “This is a test.”

Encodes the text string “This is a test.” in the command prompt window.

CLMUtil -inline -encodedpapi “This is a test.” c:\encode\encode.txt

Encodes the text string to a text file named encode in a directory called encode.

CLMUtil –file c:\encode\encodeIn.txt c:\encode\encodeOut.txt

Encodes the text string located in a file named encodeIn.txt and outputs it to a file named encodeOut.txt.

genkey

Generates a hex-encoded symmetric key, and then displays it in the command prompt console.

Syntax
CLMUtil -genkey

genkey Examples

Example Description

ClmUtil –genkey

Generates a hex-encoded symmetric key.

importpfx

Imports a pfx file into the CA and FIM CM databases.

Syntax
ClmUtil [options] -importpfx P12Filename PassPhraseDetails CAMachine User

importpfx Options

Option Description

-unique

Specifies that the FIM CM request should not be overwritten in the FIM CM database, if it already exists. This is the default parameter. If you do not specify a parameter, CLMUtil uses this one.

-overwrite

Updates the requested information in the FIM CM database automatically without testing for potential problems.

importpfx Parameters

Parameter Description

P12Filename

The directory where the .p12 file to import is stored and the file to import.

PassPhraseDetails

Represents the path to the encrypted passwords, which have .p7 fine name extensions, or the explicit password for the .p12 file mentioned above.

CAMachine

Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error.

Example: testpc.contoso.com\TestCA

User

Represents a user. You can specify a user by using an Active Directory distinguished name or e-mail alias. The user who is currently logged on must have the installed certificate to decrypt the passphrase file. This decrypted data provides the file name for the .p12 file for the password mapping required by Certutil.exe.

importpfx Examples

Example Description

ClmUtil -importpfx c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 c:\p12s\passphrase.20040831201726.p7 testpc.contoso.com\TestCA "CN=Britta Simon,OU=Test,DC=Contoso,DC=com"

Imports the specified .p12 file into testpc.contoso.com\TestCA and the FIM CM Certificates table associating it with the specified user DN. Rows will NOT be overwritten in the Certificates table.

ClmUtil -overwrite -importpfx c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 c:\p12s\passphrase.20040831201726.p7 testpc.contoso.com\TestCA bsimon@contoso.com

Imports the specified .p12 file into testpc.contoso.com\TestCA and the FIM CM Certificates table associating it with the specified user mail address. Rows will be overwritten in the Certificates table.

ClmUtil -importpfx c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 Pass1word$ testpc.contoso.com\TestCA bsimon@contoso.com

Import a .p12 file into the CA and the FIM CM Certificates table associating the file with the specified user e-mail address, and specifies the password explicitly, rather than using a .p12s passphrase file. Rows will NOT be overwritten in the Certificates table.

importpfxbatch

Imports a batch of pfx files into the CA and FIM CM databases.

Syntax
ClmUtil [options] -importpfxbatch RootDirectory PassPhraseFilename CAMachine User

importpfxbatch Options

Option Description

-unique

Specifies that the FIM CM request should not be overwritten in the FIM CM database, if it already exists. This is the default parameter. If you do not specify a parameter, CLMUtil uses this one.

-overwrite

Updates the requested information in the FIM CM database automatically without testing for potential problems.

importpfxbatch Parameters

Parameter Description

RootDirectory

The root directory structure where the .p12 files are stored.

PassPhraseFilename

Represents the name of the passphrase file. The passphrase file must be .p7 format.

CAMachine

Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error.

User

Represents the user whose .pfx files you are importing. You can use either the user's e-mail or the Active Directory Distinguished Name for the user.

importpfxbatch Examples

Example Description

ClmUtil -importpfxbatch c:\p12s c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 c:\p12s\passphrase.20040831201726.p7 testpc.mydomain.com\TestCA "CN=Britta Simon,OU=Test,DC=contoso,DC=com"

Imports the .p12 files located in c:\p12s directory structure into testpc.contoso.com\TestCA and the FIM CM Certificates table associating it with the specified user DN. Rows will NOT be overwritten in the Certificates table.

ClmUtil -overwrite -importpfxbatch c:\p12s c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 c:\p12s\passphrase.20040831201726.p7 testpc.contoso.com\TestCA bsimon@contoso.com

Imports the .p12 files located in c:\p12s directory structure into testpc.contoso.com\TestCA and the FIM CM Certificates table associating it with the specified user mail address. Rows will be overwritten in the Certificates table.

listca

Displays a list of all 3rd party CA connectors that are registered.

Syntax
CLMUtil -listca

listca Examples

Example Description

ClmUtil –listca

Display all 3rd party CA connectors that are registered

omitcertificateduringrecovery

Mark an archived certificate so that it is omitted during ALL FIM CM operations that involve certificate recovery from the CA. A boolean flag specifies whether the certificate will be omitted (true) or included (false). The default is omit during recovery (true).

Syntax
ClmUtil [Options] -omitcertificateduringrecovery

omitcertificateduringrecovery Options

Option Description

-test

Specifies that CLMUtil should display the output only and not execute the request.

Warning

It is recommended that you run the -omitcertificateduringrecovery command with the test parameter prior to running this command.

-certid

Provides the certificate id (Certificates table) of the certificate to be updated.

-username

Provides the user name.

-serialnumber

Provides the serial number.

omitcertificateduringrecovery Examples

Example Description

ClmUtil -certid 1234 -omitcertificateduringrecovery

Marks the certificate with certificate id 1234 (cert_id [Certificates table]) so that it will be omitted during recovery.

ClmUtil -username testpc.contoso.com\bsimon -serialnumber 19befedc000000000471 -omitcertificateduringrecovery true

Marks the certificate identified by user name 'testpc.contoso.com\bsimon' and serial number '19befedc000000000471' so that it will be omitted during recovery.

removeca

Unregister specified CA connector.

Syntax
CLMUtil –removeca ID

removeca Parameters

Parameter Description

ID

Represents the numeric id of the connector returned by the -addca or -listca command.

removeca Examples

Example Description

ClmUtil –removeca 12

Unregisters the CA Connector with a numeric id of 12.

setacctpwd

Updates the encrypted FIM CM agent account password stored in the registry. These passwords are stored in HKLM\SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser.

Important

This does not update the password in Active Directory. The password must be changed in AD to reflect the changes. Also, the FIM CM IIS worker process and the FIM CM Update service will have to be restarted for changes to take effect.

Syntax
ClmUtil -setacctpwd AccountName AccountPassword

setacctpwd Parameters

Parameter Description

AccountName

Represents the account whose password is being updated. It MUST be one of the following:

  • agent

  • authAgent

  • caMngr

  • enrollAgent

  • krAgent

AccountPassword

Represents the new password for the account that is being updated.

AccountName switches

switch Description

-agent

The FIM CM Agent account.

-authAgent

The FIM CM Authorization Agent account.

-caMngr

The FIM CM CA Manager Agent account.

-enrollAgent

The FIM CM Enrollment Agent account.

-krAgent

The FIM CM Key Recovery Agent account.

setacctpwd Examples

Example Description

ClmUtil -setacctpwd krAgent "newPassword01"

Updates the FIM CM key recovery agent account's password to "newPassword01".

setdbconn

Updates the encrypted FIM CM database connection string stored in the registry. This setting is in HKLM\SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser.

Important

The FIM CM IIS worker process and the FIM CM Update service will have to be restarted for changes to take effect.

Syntax
ClmUtil -setdbconn DBConnectionString

setdbconn Parameters

Parameter Description

DBConnectionString

The new connection string to the FIM CM database.

setdbconn Examples

Example Description

ClmUtil -setdbconn "Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=FIMCertificateManagement;Data Source=FIMCM2"

Updates the FIM CM database connection string to " Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=FIMCertificateManagement;Data Source=FIMCM2".

sync

Synchronize the CA database and the FIM CM database (Certificates table).

Syntax
ClmUtil [Options] -sync CAMachine

sync Options

Option Description

-unique

Specifies that the FIM CM request should not be overwritten in the FIM CM database, if it already exists. This is the default parameter. If you do not specify a parameter, CLMUtil uses this one.

-overwrite

Updates the requested information in the FIM CM database automatically without testing for potential problems.

-test

Specifies that CLMUtil should display the output only and not execute the request.

Warning

It is recommended that you run the -sync command with the test parameter prior to running this command.

-name Type

Describes how names are looked up for a certificate in the CA database. It must be followed by a type.

Type can be one of the following:

  • subject

  • requestername

  • UPN

  • E-mail

  • A hard-coded Windows NT® 4.0 name

-submitted

Specifies that CLMUtil should only show rows in the database where the date or date range matches SubmittedDate.

  • -submitted d e -- Show rows where submitted date is between d and e inclusive

  • -submitted +d -- Show rows where submitted date is after d inclusive

  • -submitted *d -- Show rows where submitted date is before d inclusive

-completed

Specifies that CLMUtil should only show rows in the database where the date or date range matches CompletedDate.

  • -completed d e -- Show rows where completed date is between d and e inclusive

  • -completed +d -- Show rows where completed date is after d inclusive

  • -completed *d -- Show rows where completed date is before d inclusive

-requestid

Specifies that CLMUtil should only show rows in the database where the ID or ID range matches the value(s) sp RequestIDValue.

  • -requestid l u -- Show rows where request id is between l and u inclusive

  • -requestid +l -- Show rows where request id is after l inclusive

  • -requestid *l -- Show rows where request id is before d inclusive

sync Parameters

Parameter Description

CAMachine

Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error.

sync Examples

Example Description

ClmUtil -overwrite -sync testpc.mydomain.com\TestCA

Copies all requests from the CA to the Certificates table. The database connection string is stored in the ClmUtil configuration file. Rows will be overwritten in the Certificates table.

ClmUtil -unique -sync testpc.mydomain.com\TestCA

Copies those requests from the CA to the Certificates table which do not already exist in the Certificates table. Hence, no overwrites will occur.

ClmUtil -test -overwrite -sync testpc.mydomain.com\TestCA

Displays a list of all the request id's that would be copied over to the Certificates table if the '-test' argument were removed.

ClmUtil -unique -submitted "+1/7/2011" -sync testpc.mydomain.com\TestCA

Copies those requests from the CA to the Certificates table which do not already exist in the Certificates table. Hence, no overwrites will occur. Moreover, only those rows will be copied whose submitted date also occurs on or after 1/7/2011

ClmUtil -overwrite -requestid 10 20 -sync testpc.mydomain.com\TestCA

Copies all requests from the CA to the Certificates table whose request id is between 10 and 20 inclusive.

ClmUtil -unique -submitted "*1/9/2011 12:00 AM" -sync testpc.mydomain.com\TestCA

Copies those requests from the CA to the Certificates table which do not already exist in the Certificates table. Hence, no overwrites will occur. Moreover, only those rows will be copied whose submitted date also occurs on or before 1/9/2011 12:00 AM

ClmUtil -completed "1/7/2011" "1/9/2011" -sync testpc.mydomain.com\TestCA

Copies all rows to the Certificates table which satisfies the constraint that the completed date occurs between 1/7/2011 and 1/9/2011 inclusive

syncrequest

Adds an entry to the FIM CM database. The default command-line option (unique) will prevent any database updates, if FIM CM finds an entry that has the same certification authority and request identifier entries.

Syntax
ClmUtil [Options] -syncrequest CAMachine RequestId User

syncrequest Options

Option Description

-unique

Specifies that the FIM CM request should not be overwritten in the FIM CM database, if it already exists. This is the default parameter. If you do not specify a parameter, CLMUtil uses this one.

-overwrite

Updates the requested information in the FIM CM database automatically without testing for potential problems.

syncrequest Parameters

Parameter Description

CAMachine

Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error.

RequestID

Represents the certificate identifier in the CA. CLMUtil obtains the FIM CM database connection credentials from the DatabasePath setting in CLMUtil.exe.config. CLMUtil obtains the default certificate template object identifier from the DefaultCertificateTemplateOID setting in CLMUtil.exe.config.

User

Represents a user. You can specify a user by using an Active Directory distinguished name or e-mail alias. The user who is currently logged on must have the installed certificate to decrypt the passphrase file. This decrypted data provides the file name for the .p12 file for the password mapping required by Certutil.exe.

sync Examples

Example Description

ClmUtil -syncrequest testpc.contoso.com\TestCA 27 "CN=Britta Simon,OU=Test,DC=contoso,DC=com"

Copy the request with identifier 27 from the CA to the FIM CM Certificates table associating it with the specified user DN. If the request exists in FIM CM, it will be NOT overwritten.

ClmUtil -overwrite -syncrequest testpc.contoso.com\TestCA 99 bsimon@contoso.com

Copy the request with identifier 99 from the CA to the FIM CM Certificates table associating it with the specified user mail address. If the request exists in FIM CM, it will be overwritten.

Encrypting a Passphrase File with CLMUtil

You can use the CLMUtil importpfx parameter to import a passphrase file. Because this file contains passphrases, we recommend that you encrypt this file. In order to create an encrypted passphrase file, you must write an application. You can use the following C# code sample to write this application.

'===================================================================
' DISCLAIMER:
'-------------------------------------------------------------------
'
' This sample is provided as is and is not meant for use on a 
' production environment. It is provided only for illustrative 
' purposes. The end user must test and modify the sample to suit 
' their target environment.
' 
' Microsoft can make no representation concerning the content of 
' this sample. Microsoft is providing this information only as a 
' convenience to you. This is to inform you that Microsoft has not 
' tested the sample and therefore cannot make any representations 
' regarding the quality, safety, or suitability of any code or 
' information found here.
' 
'===================================================================


        public static void EncryptFile(string strFile)
        {
            FileInfo fi = new FileInfo(strFile);
            FileStream fs = new FileStream(strFile, FileMode.Open, FileAccess.Read);

            byte[] data = new byte[fi.Length];
            fs.Read(data, 0, (int)fi.Length);
            fs.Close();

            Certificate cert = new Certificate();
            cert.Load("Ramji03Encryption.pfx", "1", CAPICOM_KEY_STORAGE_FLAG.CAPICOM_KEY_STORAGE_EXPORTABLE, CAPICOM_KEY_LOCATION.CAPICOM_CURRENT_USER_KEY);
            
            ASCIIEncoding ascii = new ASCIIEncoding();
            UnicodeEncoding uni = new UnicodeEncoding();

            EnvelopedData enveloped = new EnvelopedDataClass();
            enveloped.Content = uni.GetString(data);

            //enveloped.Recipients.Add
            string encryptedStr;
            enveloped.Recipients.Add(cert);
            encryptedStr = enveloped.Encrypt(CAPICOM_ENCODING_TYPE.CAPICOM_ENCODE_BASE64);//.CAPICOM_ENCODE_BINARY);//


            byte[] outData; // = new byte[ascii.GetByteCount(encryptedStr)];
            outData = Convert.FromBase64String(encryptedStr);


            //outData = uni.GetBytes(encryptedStr);

            FileStream fsOut = new FileStream(strFile + ".encrypted.p7", FileMode.Create, FileAccess.Write);
            fsOut.Write(outData, 0, outData.Length);
            fsOut.Close();
        }