FIM 2010 - CLMUtil Command-Line Tool
Applies To: Forefront Identity Manager 2010
CLMUtil is a powerful command-line tool in Microsoft® Forefront Identity Manager Certificate Management (FIM CM). CLMUtil is typically used to recover from synchronization errors that may occur between FIM CM and Certificate Authority (CA), to assist in manually configuring certificates, to display information, and update password and configuration information. CLMUtil can be used to perform the following:
Importing certificates written to the CA database but not to the FIM CM database due to a connection failure between the FIM CM and the SQL server hosting the FIM CM database.
Importing certificates issued prior to the FIM CM implementation.
Update the SQL database connection string.
Update the FIM CM Agent account password.
By default, CLMUtill.exe is installed in %Program Files%\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin.
The following topics describe CLMUtil configuration and commands:
CLMUtil Configuration File
CLMUtil Commands
Encrypting a Passphrase File with CLMUtil
CLMUtil Configuration File
CLMUtil.exe contains a configuration file, CLMUtil.exe.config. By default this file is installed in %Program Files%\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin and provides the default configuration information for CLMUtil. The following table shows the settings for CLMUtil.exe.config.
Settings for CLMUtil.exe.config
Setting | Description |
---|---|
DatabasePath |
Connection path to the SQL Server database. You can enter this as a database connection string or as a protected registry string from the Web.config file. It is recommended to use the protected registry string that is found in the Web.config file. This setting is required for all database modifiying commands.
|
DefaultCertificateTemplateOID |
Object identifier for the default certificate template that CLMUtil should use for import. For example, 1.2.3.4. This setting is the default value that is used when CLMUtil cannot determine the OID of imported certificates by doing an Active Directory search on the certificate name. This should be used when a certificate template cannot be determined from the certificate template extension or if the certificate was issued by a 3rd party CA.
|
CertImportDebugFile |
Local directory on the FIM CM server for storing debugging information about the import process. This value can be an empty string or a file with a non-existent path in order to disable debugging. For example, E:\Debug.txt, where e:\ is a non-existent drive. This setting is used by all CLMUtil commands but is not required. The CLMUtil.exe.config file seems to imply that it is required for –syncrequest and –importpfx but this is not the case.
|
ImportPfxSuccessDirectory |
Local file on the FIM CM server for storing import successes for the importpfxbatch command only. For example, E:\Success.
|
ImportPfxReportFileName |
Local file on the FIM CM server for storing import reports for the importpfxbatch command only. For example, E:\Success\Report.txt. This report includes file name, time of processing, and import success status.
|
Important
Before you use CLMUtil, you must update the CLMUtil.exe.config to specify your database path and the default certificate template object identifier. If this object identifier is not valid, or does not correspond to an actual certificate template object identifier, certificates that you import by using the importpfx command, or commands derived from it, cause CLMUtil to display unknown certificate template names for imported certificates. Configuring other settings is optional.
CLMUtil Commands
The following topics describe the CLMUtil commands:
Formatting legend for the CLMUtil command syntax
addca
decodedpapi
deleterequest
dispsdaccess
dispsdadobject
encodedpapi
genkey
importpfx
importpfxbatch
listca
omitcertificateduringrecovery
removeca
setacctpwd
setdbconn
sync
syncrequest
Formatting legend for the CLMUtil command syntax
The table below shows the formatting legend for the CLMUtil command syntax.
Important
Unless you add a dash (-) before some CLMUtil commands and parameters, CLMUtil does not process your command. Throughout this document, we have marked the commands and parameters that require that you add an em dash.
Formatting for the CLMUtil command syntax
Format | Meaning |
---|---|
Italic |
Information that the user must supply. |
Bold |
Elements that the user must type exactly as shown. |
Ellipsis (…) |
Parameter that can be repeated several times in a command line. |
Between brackets([]) |
Optional items. |
Between braces ({}); choices separated by pipe (|). Example: {even|odd} |
A set of choices from which the user must choose only one. |
addca
Allows you to add or update a 3rd party CA connector registration.
Syntax |
---|
CLMUtil -addca AssemblyQualifiedName -name CaName -server ServerName [-templates TemplateList] [-config data] |
addca Parameters
Parameter | Description |
---|---|
AssemblyQualifiedName |
The assembly qualified name of a .NET type that implements ICertificateServer interface. |
-name CaName |
The name of the 3rd party Certificate Authority. |
-server ServerName |
The FQDN of the server that is running the 3rd party Certificate Authority. |
-templates TemplateList |
The comma-separated list of certificate templates (common names) that can be used to request certificates from the given 3rd party CA. Omitting this parameter signifies that all certificate templates can be used to request certificates. |
-config data |
The free-form configuration string passed to the connector during the initialization phase. This string cannot be longer than 256 characters. |
addca Examples
Example | Description |
---|---|
ClmUtil -addca "Microsoft.Test.Connector, TestConnector" -name TestCA -server server.domain.com -templates User,SmartCardLogon -config "c:\text.xml" |
Registers a new 3rd party CA connector implemented by the Microsoft.Test.Connector type in the TestConnector assembly. The CA name is TestCA and the server name is server.domain.com. Two certificate templates (User and SmartCardLogon) would be available for certificate issuance from this CA. The initialization string is located in "c:\text.xml". |
ClmUtil -addca "Microsoft.Test.Connector, TestConnector" -name TestCA -server server.domain.com |
Registers a new 3rd party CA connector implemented by the Microsoft.Test.Connector type in the TestConnector assembly. The CA name is TestCA and the server name is server.domain.com. All certificate templates that are present in Active Directory would be available for certificate issuance from this CA. No initialization string is provided. This could also be used to update the existing 3rd party CA connector registration. (See the first example.) Now all certificate templates that are present in Active Directory would be available for certificate issuance from this CA. |
ClmUtil -addca "Microsoft.Test.Connector, TestConnector" -name TestCA -server server.domain.com -templates User,SmartCardLogon,Email -config "c:\text.xml" |
Updates existing 3rd party CA connector registration. (See the first example). One additional certificate template (Email) would be available for certificate issuance from this CA. |
decodedpapi
Decode using DPAPI (Data Protection Application Programming Interface) with the current machine's key. The data is given by In and is output to Out. If Out is omitted from the command line then the output goes to the console; otherwise it is written to the file.
Syntax |
---|
ClmUtil [Options] -decodedpapi In [Out] |
decodedpapi Options
Option | Description |
---|---|
-base64 [on|off] |
Base64 encoding/decoding on or off. The default is on. |
-file |
The In argument is a path to a file. Default. |
-inline |
The In argument is the string to decode. |
decodedpapi Parameters
Parameter | Description |
---|---|
In |
Represents the encrypted source that should be used as input. This can be an encrypted string entered manually in the command prompt window or it can be read from a file. |
Out |
Represents how the CLMUtil should display or store the output. If you do not specify a value for Out, CLMUtil will display the output in the command prompt window. |
decodedpapi Examples
Example | Description |
---|---|
CLMUtil -inline -decodedpapi AQAAANCMnd8BFdERjHOAWE/Cl+SB aAAAGS0RYSpNXEGp+AXDWytlvAQA AAACAAAAAAADZgAAqAAAADcxzAMil VQ8wLJMPeVD4tsAAAAAASAAACgAAA AEAAAAC0h7Hr13YXYyUZ0FVzd3OCY AAAA8YiBvdQ62HLruxiVeYkq+S8slrxY ZZNTFAAAALV6tEE7yHVkT0FBTF4RGi Qw4N1i |
Decrypts the encrypted text string in the command prompt window. |
CLMUtil -inline -decodedpapi AQAAANCMnd8BFdERjHOAWE/Cl+SB aAAAGS0RYSpNXEGp+AXDWytlvAQA AAACAAAAAAADZgAAqAAAADcxzAMil VQ8wLJMPeVD4tsAAAAAASAAACgAAA AEAAAAC0h7Hr13YXYyUZ0FVzd3OCY AAAA8YiBvdQ62HLruxiVeYkq+S8slrxY ZZNTFAAAALV6tEE7yHVkT0FBTF4RGi Qw4N1i c:\decode\decode.txt |
Decrypts the encrypted text string to a text file named decode in a directory called decode. |
CLMUtil –file c:\encode\encode.txt c:\decode\decode.txt |
Decrypts the encrypted text string located in a file named encode.txt and decrypts it to a file named decode.txt. |
deleterequest
Deletes a request from the specified CA and the associated certificate in the FIM CM database. Only requests external to FIM CM can be deleted from the CA and the FIM CM database.
Syntax |
---|
ClmUtil [Options] -deleterequest CAMachine RequestId |
deleterequest Options
Option | Description |
---|---|
-test |
Specifies that CLMUtil should display the output only and not execute the delete request. Warning It is recommended that you run the deleterequest command with the test parameter before deleting requests. |
-ca |
Deletes a request from a CA only. |
-clm |
Deletes a certificate from the FIM CM database only. |
-both |
Deletes a request from the CA and the associated certificate from CLM. This is the default setting. |
deleterequest Parameters
Parameter | Description |
---|---|
CAMachine |
Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error. |
RequestID |
Represents the request ID for a specific request. |
deleterequest Examples
Example | Description |
---|---|
ClmUtil -test -deleterequest testpc.mydomain.com\TestCA 14 |
Displays information on what will be deleted from the CA and FIM CM. |
ClmUtil -deleterequest testpc.mydomain.com\TestCA 14 |
Deletes the certificate from the FIM CM Certificates table for request 14 in the testpc.mydomain.com\TestCA Certificate Authority and also deletes the request from the Certificate Authority. |
ClmUtil -clm -deleterequest testpc.mydomain.com\TestCA 27 |
Deletes the certificate from the FIM CM Certificates table for request 27 in the testpc.mydomain.com\TestCA Certificate Authority. If the request exists in the Certificate Authority it will NOT be deleted. |
ClmUtil -ca -deleterequest testpc.mydomain.com\TestCA 31 |
Deletes the request from the testpc.mydomain.com\TestCA Certificate Authority with request identifier 31. If the certificate for this request exists in the FIM CM Certificates table it will NOT be deleted. |
dispsdaccess
Displays access information for a security descriptor.
A security descriptor contains the security information associated with a securable object. All named Windows® objects are securable objects. Some unnamed objects, such as process and thread objects, can have security descriptors, also.
For more information about security descriptors, see Security Descriptors and Access Control Lists Technical Reference (https://go.microsoft.com/fwlink/?LinkId=88418).
Syntax |
---|
ClmUtil –dispsdaccess InputString |
dispsdaccess Parameters
Parameter | Description |
---|---|
InputString |
Represents a security descriptor. |
dispsdaccess Examples
Example | Description |
---|---|
CLMUtil -dispsdaccess O:BA |
Displays information for the O:BA security descriptor. O:BA designates the built-in administrator account. |
dispsdadobject
Displays security descriptor for an Active Directory object.
A security descriptor contains the security information associated with a securable object. All named Windows® objects are securable objects. Some unnamed objects, such as process and thread objects, can have security descriptors, also.
For more information about security descriptors, see Security Descriptors and Access Control Lists Technical Reference (https://go.microsoft.com/fwlink/?LinkId=88418).
Syntax |
---|
ClmUtil –dispsdadobject InputString |
dispsdadobject Parameters
Parameter | Description |
---|---|
InputString |
Represents an object in Active Directory. |
dispsdaccess Examples
Example | Description |
---|---|
CLMUtil –dispsdadobject “LDAP://CN=Britta Simon,OU=FIMCMUsers,DC=contoso,DC=com” |
Displays access information for user Britta Simon in the Contoso domain. |
encodedpapi
Encode using DPAPI (Data Protection Application Programming Interface) with the current machine's key. The data is given by In and is output to Out. If Out is omitted from the command line then the output goes to the console; otherwise it is written to the file.
Syntax |
---|
ClmUtil [Options] -encodedpapi In [Out] |
encodedpapi Options
Option | Description |
---|---|
-base64 [on|off] |
Base64 encoding/decoding on or off. The default is on. |
-file |
The In argument is a path to a file. Default. |
-inline |
The In argument is the string to decode. |
encodedpapi Parameters
Parameter | Description |
---|---|
In |
Represents the source that should be used as input for encryption. This can be a string entered manually in the command prompt window or it can be read from a file. |
Out |
Represents how the CLMUtil should display or store the output. If you do not specify a value for Out, CLMUtil will display the output in the command prompt window. |
encodedpapi Examples
Example | Description |
---|---|
CLMUtil -inline -encodedpapi “This is a test.” |
Encodes the text string “This is a test.” in the command prompt window. |
CLMUtil -inline -encodedpapi “This is a test.” c:\encode\encode.txt |
Encodes the text string to a text file named encode in a directory called encode. |
CLMUtil –file c:\encode\encodeIn.txt c:\encode\encodeOut.txt |
Encodes the text string located in a file named encodeIn.txt and outputs it to a file named encodeOut.txt. |
genkey
Generates a hex-encoded symmetric key, and then displays it in the command prompt console.
Syntax |
---|
CLMUtil -genkey |
genkey Examples
Example | Description |
---|---|
ClmUtil –genkey |
Generates a hex-encoded symmetric key. |
importpfx
Imports a pfx file into the CA and FIM CM databases.
Syntax |
---|
ClmUtil [options] -importpfx P12Filename PassPhraseDetails CAMachine User |
importpfx Options
Option | Description |
---|---|
-unique |
Specifies that the FIM CM request should not be overwritten in the FIM CM database, if it already exists. This is the default parameter. If you do not specify a parameter, CLMUtil uses this one. |
-overwrite |
Updates the requested information in the FIM CM database automatically without testing for potential problems. |
importpfx Parameters
Parameter | Description |
---|---|
P12Filename |
The directory where the .p12 file to import is stored and the file to import. |
PassPhraseDetails |
Represents the path to the encrypted passwords, which have .p7 fine name extensions, or the explicit password for the .p12 file mentioned above. |
CAMachine |
Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error. Example: testpc.contoso.com\TestCA |
User |
Represents a user. You can specify a user by using an Active Directory distinguished name or e-mail alias. The user who is currently logged on must have the installed certificate to decrypt the passphrase file. This decrypted data provides the file name for the .p12 file for the password mapping required by Certutil.exe. |
importpfx Examples
Example | Description |
---|---|
ClmUtil -importpfx c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 c:\p12s\passphrase.20040831201726.p7 testpc.contoso.com\TestCA "CN=Britta Simon,OU=Test,DC=Contoso,DC=com" |
Imports the specified .p12 file into testpc.contoso.com\TestCA and the FIM CM Certificates table associating it with the specified user DN. Rows will NOT be overwritten in the Certificates table. |
ClmUtil -overwrite -importpfx c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 c:\p12s\passphrase.20040831201726.p7 testpc.contoso.com\TestCA bsimon@contoso.com |
Imports the specified .p12 file into testpc.contoso.com\TestCA and the FIM CM Certificates table associating it with the specified user mail address. Rows will be overwritten in the Certificates table. |
ClmUtil -importpfx c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 Pass1word$ testpc.contoso.com\TestCA bsimon@contoso.com |
Import a .p12 file into the CA and the FIM CM Certificates table associating the file with the specified user e-mail address, and specifies the password explicitly, rather than using a .p12s passphrase file. Rows will NOT be overwritten in the Certificates table. |
importpfxbatch
Imports a batch of pfx files into the CA and FIM CM databases.
Syntax |
---|
ClmUtil [options] -importpfxbatch RootDirectory PassPhraseFilename CAMachine User |
importpfxbatch Options
Option | Description |
---|---|
-unique |
Specifies that the FIM CM request should not be overwritten in the FIM CM database, if it already exists. This is the default parameter. If you do not specify a parameter, CLMUtil uses this one. |
-overwrite |
Updates the requested information in the FIM CM database automatically without testing for potential problems. |
importpfxbatch Parameters
Parameter | Description |
---|---|
RootDirectory |
The root directory structure where the .p12 files are stored. |
PassPhraseFilename |
Represents the name of the passphrase file. The passphrase file must be .p7 format. |
CAMachine |
Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error. |
User |
Represents the user whose .pfx files you are importing. You can use either the user's e-mail or the Active Directory Distinguished Name for the user. |
importpfxbatch Examples
Example | Description |
---|---|
ClmUtil -importpfxbatch c:\p12s c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 c:\p12s\passphrase.20040831201726.p7 testpc.mydomain.com\TestCA "CN=Britta Simon,OU=Test,DC=contoso,DC=com" |
Imports the .p12 files located in c:\p12s directory structure into testpc.contoso.com\TestCA and the FIM CM Certificates table associating it with the specified user DN. Rows will NOT be overwritten in the Certificates table. |
ClmUtil -overwrite -importpfxbatch c:\p12s c:\p12s\t-t000002-00000002-test.user@abc.ca-1060701792-20031223134105.p12 c:\p12s\passphrase.20040831201726.p7 testpc.contoso.com\TestCA bsimon@contoso.com |
Imports the .p12 files located in c:\p12s directory structure into testpc.contoso.com\TestCA and the FIM CM Certificates table associating it with the specified user mail address. Rows will be overwritten in the Certificates table. |
listca
Displays a list of all 3rd party CA connectors that are registered.
Syntax |
---|
CLMUtil -listca |
listca Examples
Example | Description |
---|---|
ClmUtil –listca |
Display all 3rd party CA connectors that are registered |
omitcertificateduringrecovery
Mark an archived certificate so that it is omitted during ALL FIM CM operations that involve certificate recovery from the CA. A boolean flag specifies whether the certificate will be omitted (true) or included (false). The default is omit during recovery (true).
Syntax |
---|
ClmUtil [Options] -omitcertificateduringrecovery |
omitcertificateduringrecovery Options
Option | Description |
---|---|
-test |
Specifies that CLMUtil should display the output only and not execute the request. Warning It is recommended that you run the -omitcertificateduringrecovery command with the test parameter prior to running this command. |
-certid |
Provides the certificate id (Certificates table) of the certificate to be updated. |
-username |
Provides the user name. |
-serialnumber |
Provides the serial number. |
omitcertificateduringrecovery Examples
Example | Description |
---|---|
ClmUtil -certid 1234 -omitcertificateduringrecovery |
Marks the certificate with certificate id 1234 (cert_id [Certificates table]) so that it will be omitted during recovery. |
ClmUtil -username testpc.contoso.com\bsimon -serialnumber 19befedc000000000471 -omitcertificateduringrecovery true |
Marks the certificate identified by user name 'testpc.contoso.com\bsimon' and serial number '19befedc000000000471' so that it will be omitted during recovery. |
removeca
Unregister specified CA connector.
Syntax |
---|
CLMUtil –removeca ID |
removeca Parameters
Parameter | Description |
---|---|
ID |
Represents the numeric id of the connector returned by the -addca or -listca command. |
removeca Examples
Example | Description |
---|---|
ClmUtil –removeca 12 |
Unregisters the CA Connector with a numeric id of 12. |
setacctpwd
Updates the encrypted FIM CM agent account password stored in the registry. These passwords are stored in HKLM\SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser.
Important
This does not update the password in Active Directory. The password must be changed in AD to reflect the changes. Also, the FIM CM IIS worker process and the FIM CM Update service will have to be restarted for changes to take effect.
Syntax |
---|
ClmUtil -setacctpwd AccountName AccountPassword |
setacctpwd Parameters
Parameter | Description |
---|---|
AccountName |
Represents the account whose password is being updated. It MUST be one of the following:
|
AccountPassword |
Represents the new password for the account that is being updated. |
AccountName switches
switch | Description |
---|---|
-agent |
The FIM CM Agent account. |
-authAgent |
The FIM CM Authorization Agent account. |
-caMngr |
The FIM CM CA Manager Agent account. |
-enrollAgent |
The FIM CM Enrollment Agent account. |
-krAgent |
The FIM CM Key Recovery Agent account. |
setacctpwd Examples
Example | Description |
---|---|
ClmUtil -setacctpwd krAgent "newPassword01" |
Updates the FIM CM key recovery agent account's password to "newPassword01". |
setdbconn
Updates the encrypted FIM CM database connection string stored in the registry. This setting is in HKLM\SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser.
Important
The FIM CM IIS worker process and the FIM CM Update service will have to be restarted for changes to take effect.
Syntax |
---|
ClmUtil -setdbconn DBConnectionString |
setdbconn Parameters
Parameter | Description |
---|---|
DBConnectionString |
The new connection string to the FIM CM database. |
setdbconn Examples
Example | Description |
---|---|
ClmUtil -setdbconn "Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=FIMCertificateManagement;Data Source=FIMCM2" |
Updates the FIM CM database connection string to " Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=FIMCertificateManagement;Data Source=FIMCM2". |
sync
Synchronize the CA database and the FIM CM database (Certificates table).
Syntax |
---|
ClmUtil [Options] -sync CAMachine |
sync Options
Option | Description |
---|---|
-unique |
Specifies that the FIM CM request should not be overwritten in the FIM CM database, if it already exists. This is the default parameter. If you do not specify a parameter, CLMUtil uses this one. |
-overwrite |
Updates the requested information in the FIM CM database automatically without testing for potential problems. |
-test |
Specifies that CLMUtil should display the output only and not execute the request. Warning It is recommended that you run the -sync command with the test parameter prior to running this command. |
-name Type |
Describes how names are looked up for a certificate in the CA database. It must be followed by a type. Type can be one of the following:
|
-submitted |
Specifies that CLMUtil should only show rows in the database where the date or date range matches SubmittedDate.
|
-completed |
Specifies that CLMUtil should only show rows in the database where the date or date range matches CompletedDate.
|
-requestid |
Specifies that CLMUtil should only show rows in the database where the ID or ID range matches the value(s) sp RequestIDValue.
|
sync Parameters
Parameter | Description |
---|---|
CAMachine |
Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error. |
sync Examples
Example | Description |
---|---|
ClmUtil -overwrite -sync testpc.mydomain.com\TestCA |
Copies all requests from the CA to the Certificates table. The database connection string is stored in the ClmUtil configuration file. Rows will be overwritten in the Certificates table. |
ClmUtil -unique -sync testpc.mydomain.com\TestCA |
Copies those requests from the CA to the Certificates table which do not already exist in the Certificates table. Hence, no overwrites will occur. |
ClmUtil -test -overwrite -sync testpc.mydomain.com\TestCA |
Displays a list of all the request id's that would be copied over to the Certificates table if the '-test' argument were removed. |
ClmUtil -unique -submitted "+1/7/2011" -sync testpc.mydomain.com\TestCA |
Copies those requests from the CA to the Certificates table which do not already exist in the Certificates table. Hence, no overwrites will occur. Moreover, only those rows will be copied whose submitted date also occurs on or after 1/7/2011 |
ClmUtil -overwrite -requestid 10 20 -sync testpc.mydomain.com\TestCA |
Copies all requests from the CA to the Certificates table whose request id is between 10 and 20 inclusive. |
ClmUtil -unique -submitted "*1/9/2011 12:00 AM" -sync testpc.mydomain.com\TestCA |
Copies those requests from the CA to the Certificates table which do not already exist in the Certificates table. Hence, no overwrites will occur. Moreover, only those rows will be copied whose submitted date also occurs on or before 1/9/2011 12:00 AM |
ClmUtil -completed "1/7/2011" "1/9/2011" -sync testpc.mydomain.com\TestCA |
Copies all rows to the Certificates table which satisfies the constraint that the completed date occurs between 1/7/2011 and 1/9/2011 inclusive |
syncrequest
Adds an entry to the FIM CM database. The default command-line option (unique) will prevent any database updates, if FIM CM finds an entry that has the same certification authority and request identifier entries.
Syntax |
---|
ClmUtil [Options] -syncrequest CAMachine RequestId User |
syncrequest Options
Option | Description |
---|---|
-unique |
Specifies that the FIM CM request should not be overwritten in the FIM CM database, if it already exists. This is the default parameter. If you do not specify a parameter, CLMUtil uses this one. |
-overwrite |
Updates the requested information in the FIM CM database automatically without testing for potential problems. |
syncrequest Parameters
Parameter | Description |
---|---|
CAMachine |
Represents the name of the CA. You must enter the entire CA name (computer name and CA name) and separate these values with a backslash (\). CAComputer must match the ca_server_name value in the FIM CM SQL database CertificateAuthority table. CAName must match the ca_name value in the FIM CM SQL database CertificateAuthority table. If these values do not match the values in the FIM CM database, CLMUtil reports an error. |
RequestID |
Represents the certificate identifier in the CA. CLMUtil obtains the FIM CM database connection credentials from the DatabasePath setting in CLMUtil.exe.config. CLMUtil obtains the default certificate template object identifier from the DefaultCertificateTemplateOID setting in CLMUtil.exe.config. |
User |
Represents a user. You can specify a user by using an Active Directory distinguished name or e-mail alias. The user who is currently logged on must have the installed certificate to decrypt the passphrase file. This decrypted data provides the file name for the .p12 file for the password mapping required by Certutil.exe. |
sync Examples
Example | Description |
---|---|
ClmUtil -syncrequest testpc.contoso.com\TestCA 27 "CN=Britta Simon,OU=Test,DC=contoso,DC=com" |
Copy the request with identifier 27 from the CA to the FIM CM Certificates table associating it with the specified user DN. If the request exists in FIM CM, it will be NOT overwritten. |
ClmUtil -overwrite -syncrequest testpc.contoso.com\TestCA 99 bsimon@contoso.com |
Copy the request with identifier 99 from the CA to the FIM CM Certificates table associating it with the specified user mail address. If the request exists in FIM CM, it will be overwritten. |
Encrypting a Passphrase File with CLMUtil
You can use the CLMUtil importpfx parameter to import a passphrase file. Because this file contains passphrases, we recommend that you encrypt this file. In order to create an encrypted passphrase file, you must write an application. You can use the following C# code sample to write this application.
'===================================================================
' DISCLAIMER:
'-------------------------------------------------------------------
'
' This sample is provided as is and is not meant for use on a
' production environment. It is provided only for illustrative
' purposes. The end user must test and modify the sample to suit
' their target environment.
'
' Microsoft can make no representation concerning the content of
' this sample. Microsoft is providing this information only as a
' convenience to you. This is to inform you that Microsoft has not
' tested the sample and therefore cannot make any representations
' regarding the quality, safety, or suitability of any code or
' information found here.
'
'===================================================================
public static void EncryptFile(string strFile)
{
FileInfo fi = new FileInfo(strFile);
FileStream fs = new FileStream(strFile, FileMode.Open, FileAccess.Read);
byte[] data = new byte[fi.Length];
fs.Read(data, 0, (int)fi.Length);
fs.Close();
Certificate cert = new Certificate();
cert.Load("Ramji03Encryption.pfx", "1", CAPICOM_KEY_STORAGE_FLAG.CAPICOM_KEY_STORAGE_EXPORTABLE, CAPICOM_KEY_LOCATION.CAPICOM_CURRENT_USER_KEY);
ASCIIEncoding ascii = new ASCIIEncoding();
UnicodeEncoding uni = new UnicodeEncoding();
EnvelopedData enveloped = new EnvelopedDataClass();
enveloped.Content = uni.GetString(data);
//enveloped.Recipients.Add
string encryptedStr;
enveloped.Recipients.Add(cert);
encryptedStr = enveloped.Encrypt(CAPICOM_ENCODING_TYPE.CAPICOM_ENCODE_BASE64);//.CAPICOM_ENCODE_BINARY);//
byte[] outData; // = new byte[ascii.GetByteCount(encryptedStr)];
outData = Convert.FromBase64String(encryptedStr);
//outData = uni.GetBytes(encryptedStr);
FileStream fsOut = new FileStream(strFile + ".encrypted.p7", FileMode.Create, FileAccess.Write);
fsOut.Write(outData, 0, outData.Length);
fsOut.Close();
}