Installing and Configuring Certificate Lifecycle Manager 2007 Client

Microsoft® Certificate Lifecycle Manager 2007 Client assists in client-side, smart card management activities, such as changing the personal identification number (PIN) on a smart card. A computer that runs this software is known as a CLM client. You must install a Certificate Lifecycle Manager 2007 Client to deploy smart cards, but not to deploy software-based certificates.

The following topics describe how to install and configure Certificate Lifecycle Manager 2007 Client:

  • Hardware and Software Requirements for Certificate Lifecycle Manager 2007 Client

  • Install Certificate Lifecycle Manager 2007 Client

  • Secure Session Settings for a Certificate Lifecycle Manager Client

  • Setting Smart Card PIN Rules for Certificate Lifecycle Manager 2007 Client

Hardware and Software Requirements for Certificate Lifecycle Manager 2007 Client

Table 1 shows the hardware and software requirements for Certificate Lifecycle Manager 2007 Client.

Table 1   Hardware and software requirements

Component Requirement

Microsoft Windows XP Service Pack 2

Certificate Lifecycle Manager 2007 Client components are designed for computers running Windows XP.

Microsoft Internet Explorer® 6.x

Because ILM CMS requires Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for administrative traffic and certificates, Internet Explorer 6.x is required. ILM CMS has advanced scripting features that are optimized for Internet Explorer.

Middleware

Microsoft Base cryptographic service Provider (CSP) with a vendor-specific minidriver, or a legacy CSP with middleware that is compatible with a PKCS #11 file.

You must get the middleware from a vendor other than Microsoft.

A smart card reader and one or more smart cards that are compatible with Certificate Lifecycle Manager 2007 Client

Required only if you implement smart card certificates. For information about smart card compatibility with Certificate Lifecycle Manager 2007 Client, contact your smart card vendor.

Install Certificate Lifecycle Manager 2007 Client

Important

Do not perform any smart card management activities until after you install Certificate Lifecycle Manager 2007 Client.

Note

Certificate Lifecycle Manager 2007 Client depends on supported smart card middleware or a smart card minidriver and smart card module. Before you use Certificate Lifecycle Manager 2007 Client to perform smart card operations, you must install the required middleware. For more information, see Hardware and Software Requirements for Certificate Lifecycle Manager 2007 Client.

To configure Certificate Lifecycle Manager 2007 Client correctly, you must perform the following steps to ensure that Certificate Lifecycle Manager 2007 Client is properly configured:

  1. Install the client on each computer where you want to use Certificate Lifecycle Manager 2007 Client.

  2. Add the CLM Web site to the Trusted Sites on each CLM client computer.

  3. Enable automatic prompting for downloads.

To install Certificate Lifecycle Manager 2007 Client

  1. From the ILM CMS installation CD, run CLMClient.msi.

    CLMClient.msi is located at [CDDrive]\CLMClient\.

  2. On the Welcome to the Installation Wizard page, click Next.

  3. On the Certificate Lifecycle Manager License Agreement page, read the license agreement, select I accept the terms in the license agreement, and then click Next.

  4. On the Setup Type page, under Setup Type, select one of the following options, and then click Next:

    1. Complete

      Installs the Certificate Lifecycle Manager 2007 Client files and features that are required, including the Smart Card Self Service Control, the Smart Card Personalization Control, and the Certificate Profile Update Control.

    2. Custom

      Installs the Certificate Lifecycle Manager 2007 Client files and features that you select.

  5. On the Ready to Install Certificate Lifecycle Manager Client page, click Install.

  6. On the Certificate Lifecycle Manager Client Installation Complete page, click Finish.

On each computer where you want to access the CLM Web site, you must add the CLM Web site to the Trusted Sites Web content security zone in Internet Explorer. Because the CLM Web site enforces the use of trusted sites, it does not function correctly if you do not add the CLM Web site to Trusted Sites.

To add the CLM Web site to Trusted Sites in Internet Explorer

  1. In Internet Explorer, on the Tools menu, click Internet Options.

  2. In Internet Options, click the Security tab, click Trusted Sites, and then click Sites.

  3. In Trusted Sites, type the address of the CLM Web site, and then click Add.

  4. Click Close, and then click OK.

The default configuration for Trusted Sites prompts the user prior to loading controls that are not marked safe for scripting. Because Certificate Lifecycle Manager 2007 Client is not marked safe for scripting, you must enable Initialize and script ActiveX controls not marked as safe for scripting, if you do not want Internet Explorer to prompt users when a control loads.

To export comma-delimited report data, in Internet Explorer, you must enable the Automatic prompting for file downloads policysetting. If you enable this policy setting, Internet Explorer prompts you when you export the report.

To enable comma-delimited report data to be exported

  1. In Internet Explorer, on the Tools menu, click Internet Options.

  2. In Internet Options, click the Security tab.

  3. Under Security level for this zone, click Custom Level.

  4. In Security Settings - Internet Zone, under Downloads, click Enable for Automatic prompting for file downloads.

Secure Session Settings for Certificate Lifecycle Manager 2007 Client

By default, Certificate Lifecycle Manager 2007 Client encrypts all data that is transmitted to the CLM server. The Certificate Lifecycle Manager 2007 Client tries to use the AES 128 encryption algorithm to encrypt data. If AES 128 is unavailable, Certificate Lifecycle Manager 2007 Client uses the 3DES encryption algorithm. If these algorithms are unavailable, Certificate Lifecycle Manager 2007 Client also tries to use the cryptographic service provider (CSP) named Microsoft Enhanced RSA and AES Cryptographic Provider.

When you use Certificate Lifecycle Manager 2007 Client to encrypt data, you can override the default setting by selecting a different CSP and encryption algorithm.

Encryption configuration options

To configure an encryption algorithm, you must create two registry keys under HKLM\SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient\. Table 2 shows these registry keys.

Table 2   Encryption registry keys

Registry key Description

CSP

Defines the CSP. The value type is REGSZ, and the entry is the name of the CSP.

AlgID

Defines the encryption algorithm identification number The value type is DWORD. For the entry, see Table 3.

Table 3    Encryption algorithms and values for the AlgID registry key

Encryption algorithm DWORD value

3DES

9 or 3

AES_128

14

AES_192

15

AES_256

16

Secure session validation

You can use the session validation options to determine the revocation status of a certificate.

Note

By default, Certificate Lifecycle Manager 2007 Client does not check revocation status.

To specify whether Certificate Lifecycle Manager 2007 Client checks revocation status, you must create a DWORD registry key named SessionCertValidation under HKLM\SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient\. Table 4 shows the values that you can use to specify the revocation status of the CLM server certificate.

Table 4   Revocation checks and associated values for SessionCertValidation

Revocation check DWORD value

No Check (default)

0

Check end certificate

1

Check entire certificate chain

2

Check entire certificate chain minus root

4

Setting Smart Card PIN Rules for Certificate Lifecycle Manager 2007 Client

The following table shows the PIN rules for a smart card managed by Certificate Lifecycle Manager 2007 Client. The PIN rules are located under the following registry key in HKLM: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient\PinRules.

Note

Certificate Lifecycle Manager 2007 Client does not enforce PIN rules unless the associated registry key is present.

Table 5    PIN rules and sample registry values

PIN rule Type Sample value Description

MaxPinLength

DWORD

00000008

Specifies the maximum length allowed in the PIN. Certificate Lifecycle Manager 2007 Client can read the value from the smart card when you use smart card middleware based on a PKCS #11 file. Alternatively, Certificate Lifecycle Manager 2007 Client can get the value from the PIN rule itself.

To read the value from the smart card, specify the value as -1. To read the value from the PIN rule, specify the value as a positive integer.

MinPinLength

DWORD

00000004

Specifies the maximum length allowed in the PIN. Certificate Lifecycle Manager 2007 Client can read the value from the smart card when you use smart card middleware based on a PKCS #11 file. Alternatively, Certificate Lifecycle Manager 2007 Client can get the value from the PIN rule itself.

To read the value from the smart card, specify the value as -1. To read the value from the PIN rule, specify the value as a positive integer.

MaxRepeatChar

DWORD

00000000

Specifies the maximum number of consecutive, repeated characters allowed in the PIN, for example, 11111 or ssssss.

MaxSortedSequenceChar

DWORD

00000002

Specifies the maximum length of a sorted character sequence allowed in the PIN, for example, 1234 or abcde.

PinHistory

DWORD

00000003

Specifies the length of the PIN's history, which is stored as a sequence of hashes on the smart card. Configuring the history of a PIN helps prevent dictionary attacks since the larger encrypted set makes it more difficult to guess the decryption key (PIN).

During initial provisioning, Certificate Lifecycle Manager 2007 Client ignores the smart card PIN history. Therefore, a PIN selected by a user might match the initial smart card PIN because Certificate Lifecycle Manager 2007 Client has no previous history on the smart card.

The PIN history algorithm has the following characteristics:

  • Certificate Lifecycle Manager 2007 Client stores a cryptographically random salt on the smart card in plaintext. The salt size is 120 bits.

  • Certificate Lifecycle Manager 2007 Client adds the random salt to the PIN during SHA1 hash calculation.

  • Certificate Lifecycle Manager 2007 Client calculates the SHA1 hash several times to increase computation complexity. Each calculation uses the output of the last calculation as input. SHA1 makes the same number of calculations for all smart cards—approximately 2,000.

MinUppercase

DWORD

00000001

Specifies a character set restriction or allowance of uppercase characters in the PIN. If the PIN rules do not specify a character set rule, Certificate Lifecycle Manager 2007 Client places no restrictions on the characters allowed. However, if the PIN rules specify any character set rule, Certificate Lifecycle Manager 2007 Client implicitly disallows all other characters unless a PIN rule explicitly enables that character.

When MinUppercase specifies an allowance, Certificate Lifecycle Manager 2007 Client does not display a corresponding user interface notification. Certificate Lifecycle Manager 2007 Client displays only restriction rules in the PIN dialog boxes.

MinLowercase

DWORD

00000001

Specifies a character set restriction or allowance of lowercase characters in the PIN. If no character set rule is specified in the PIN rules, Certificate Lifecycle Manager 2007 Client places no restrictions on the characters allowed. However, if any character set rule is specified, Certificate Lifecycle Manager 2007 Client implicitly disallows all other characters unless they are explicitly enabled by a rule.

When this rule specifies an allowance, Certificate Lifecycle Manager 2007 Client does not display a corresponding user interface notification. Certificate Lifecycle Manager 2007 Client only displays restriction rules in the PIN dialog boxes.

MinNumeric

DWORD

00000001

Specifies a character set restriction or allowance of numeric characters in the PIN. If no character set rule is specified in the PIN rules, Certificate Lifecycle Manager 2007 Client places no restrictions on the characters allowed. However, if any character set rule is specified, Certificate Lifecycle Manager 2007 Client implicitly disallows all other characters unless they are explicitly enabled by a rule.

When this rule specifies an allowance, Certificate Lifecycle Manager 2007 Client does not display a corresponding user interface notification. Certificate Lifecycle Manager 2007 Client only displays restriction rules in the PIN dialog boxes.

MinSpecial

DWORD

00000000

Specifies a character set restriction or allowance of special characters in the PIN. Special characters are printable ASCII characters that are not numbers or letters. If no character set rule is specified in the PIN rules, no restrictions are put on the characters allowed. However, if any character set rule is specified, all other characters are implicitly disallowed unless explicitly enabled by a rule.

When this rule specifies an allowance, Certificate Lifecycle Manager 2007 Client does not display a corresponding user interface notification. Certificate Lifecycle Manager 2007 Client only displays restriction rules in the PIN dialog boxes.

Filter

String

([a-zA-Z0-9]*)

Specifies a character set restriction or allowance of alphabetical, alphanumeric, and printable characters in the PIN. These include uppercase and lowercase characters. If no character set rule is specified in the PIN rules, no restrictions are put on the characters allowed. However, if any character set rule is specified, all other characters are implicitly disallowed unless explicitly enabled by a rule.

When this rule specifies an allowance, no corresponding user interface notification is displayed. Only restriction rules are displayed in the PIN dialog boxes.

Security considerations for PIN rules

Consider protecting the smart card PIN rule registry keys as soon as you create them. To do so, we recommend that you configure access control lists (ACLs), and then audit write operations for the registry keys.

To configure ACLs on PIN rule registry data

  1. To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. In Registry Editor, select the Certificate Lifecycle Manager 2007 Client registry key that you want to configure.

    For a list of available registry keys, see Setting Smart Card PIN Rules for Certificate Lifecycle Manager 2007 Client.

  3. Right-click the registry key, and then select Permissions.

  4. In Permissions, assign permissions for existing users or groups, or click Add to add a user or group for which to assign permissions.

To enable auditing for write operations on registry keys

  1. To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. In Registry Editor, select the registry key that you want to configure.

    For a list of available registry keys, Setting Smart Card PIN Rules for Certificate Lifecycle Manager 2007 Client.

  3. Right-click the registry key, and then select Permissions.

  4. In Permissions, click Advanced, and then click the Auditing tab.

  5. On the Auditing tab, click Add.

  6. In Select User or Group, select the specific user or group to audit when you are prompted, and then click OK.

    We recommend that you select a group that covers all users, for example, Everyone. At a minimum, audit the Set Key permission.