Optional: Configuring Additional CA Settings and Modules

Updated: November 8, 2010

Applies To: Forefront Identity Manager Certificate Management

You may want to configure additional policy modules for FIM CM to control certificate subjects and to support certificate requests that are generated outside of FIM CM.

Configure additional policy modules

To configure additional policy modules

  1. Log on to the FIM CM server with a user account that is assigned the Manage CA permission for the local CA.

  2. In Server Manager expand Active Directory Certificate Services and then right-click the certification authority you want to configure, and then click Properties

  3. In <CAName> Properties, on the Policy Module tab, click Properties to install and configure a custom module.

  4. In Configuration Properties, on the Custom Modules tab, click Add.

  5. In the Open dialog box, locate the Microsoft.CLM.PolicyModulePlugins.dll file, and then click Open. The default location for the file is <ProgramFiles>\Microsoft Forefront Identity Manager\2010\Certificate Management\CA\

  6. In FIM CM Policy Module, select a policy module. The following table shows the available policy modules.

    CM policy modules

    Policy module Description

    Certificate SMimeCapabilities Module 1.0

    Limits the available encryption algorithms that you can use when you use a certificate for Secure/Multipurpose Internet Mail Extensions (S/MIME). This module is also called the S/MIME Capabilities policy module.

    Certificate Subject Module 1.0

    Inserts a custom subject into a certificate. This module is also called the Subject policy module.

    SubjectAltName Module 1.1

    Inserts a custom field into a certificate's SubjectAltName value. This module is also called the Subject Alternative Name policy module.

    Support for non-FIM CM certificate requests

    Registers FIM CM certificates that are issued outside of FIM CM. Examples include auto-enrollment and Microsoft Management Console (MMC). This module is also called the Non-FIM CM Request policy module.

  7. In Custom Module Name, provide a unique name for the policy module, and then click OK.

  8. To modify the policy module's properties, in Configuration Properties, select the policy module, and then click Properties.

The following sections describe the configuration of the available policy modules.

Configure the S/MIME Capabilities policy module

You can use the S/MIME Capabilities policy module to limit the available encryption algorithms that you can use when you use a certificate for S/MIME. Your organization can exclude available algorithms that you might consider weak or unsuitable for use.

To configure the S/MIME Capabilities policy module

  1. In the Custom Module Properties dialog box, in Filter, select the certificate template that you want to use for S/MIME.

  2. In Provider, click Configure.

  3. In the S/MIME Capabilities dialog box, provide the object identifier (also known as the OID) of the SMIMECapabilities extension list algorithms that an S/MIME user supports.

Each algorithm has a number that uniquely identifies it. This number, called the object identifier, contains several numbers that are dot-delimited. The following table shows the algorithms and their corresponding object identifiers.

FIM CM algorithms and object identifiers

Algorithm Object identifier

RC2-CBC

1.2.840.113549.3.2

RC4

1.2.840.113549.3.4

DES-CBC

1.3.14.3.2.7

DES-EDE3-CBC

1.2.840.113549.3.7

Some algorithms have parameters that can be passed to them. Parameters can be any ASN1 object. For example, RC2 can have the key length passed to it.

The following table shows example settings.

Sample FIM CM algorithm settings

Algorithm Setting Description

3DES

1.2.840.113549.3.7[]

Specifies 3DES in the SMimeCapabilities extension. The object identifier is 3DES. The empty square brackets indicate that no parameters are included.

RC2 with a key length of 128

1.2.840.113549.3.2[0x02020080]

Specifies RC2 with a key length of 128. The object identifier is RC2. The parameter is a sequence of bytes in hexadecimal, where:

  • "0x" is the prefix for any hexadecimal number.

  • "0202" is the ASN1 encoding for a word [2 bytes].

  • "0080" is the actual parameter that is 2 bytes long. "0080" in hexadecimal is 128 in decimal.

Multiple algorithms

1.2.840.113549.3.2[0x02020080];

1.2.840.113549.3.4[0x02020080];

1.3.14.3.2.7[];

1.2.840.113549.3.7[]

Use semicolons to separate multiple algorithms.

  • This setting specifies the RC2, RC4, DES, and 3DES algorithms respectively.

  • The parameters are, respectively: 128, 128, none, none.

  • The order that the algorithms are listed is their order in the certificate's SMimeCapabilities extension.

Restart the Active Directory Certificate Services (AD CS) service (certsvc) in order to implement these changes.

Configure the Subject policy module

You can use the Subject policy module to insert a custom subject into a certificate.

To configure the Subject policy module

  1. In the Custom Module Properties dialog box, in Filter, select the certificate template to configure.

  2. In Provider, click Configure.

  3. In the Certificate Subject Name dialog box, type the information that you want to include in the certificate subject. For example, cn={User!GivenName} {User!SurName}, cn={Clm!CostCenter},o=Contoso,c=US. The certificate of a user account with GivenName of Britta, SurName of Simon, and CostCenter of 17195 displays a subject name of:

    • cn=Britta Simon

    • cn=17195

    • o=Contoso

    • c=US

    See the following table for further description of the supported attributes.

You must use specific tags to dynamically build a certificate subject from the Active Directory Domain Services (AD DS) user attributes and from the FIM CM registration data. The following table shows these tags.

Subject policy module certificate subject tags

Tag Description

{User! Attribute }

Displays the name of a user in AD DS by using an Active Directory attribute, such as givenName. You can display any AD DS attribute available in the AD DS schema for the User object.

{CLM! ItemName }

Displays the name of a FIM CM data collection item from the profile template. For example, if you are collecting DepartmentID, and CostCenter in the profile template, and want that displayed, use {CLM!DepartmentID}{CLM!CostCenter}

Additional object identifiers

FIM CM will honor all of the properties set forth in the following:  Name Properties.

noteNote

Restart the (AD CS) service (certsvc) in order to implement these changes.

Configure the Subject Alternative Name policy module

You can use the Subject Alternative Name policy module to populate custom subject alternative names for certificates.

To configure the Subject Alternative Name policy module

  1. In the Custom Module Properties dialog box, in Provider, click Configure.

  2. In the Certificate SubjectAltName Configuration dialog box, click Add.

  3. In the SubjectAltName Add Entry dialog box, in Type, select a type.

    The following table shows the types that you can select.

    Possible SubjectAltName types

    SubjectAltName types Description

    RFC822Mailbox

    Formats the value as an e-mail address.

    DNSName

    Formats the value as a DNS name.

    OtherName

    Enables you to specify the subject alternative name by an object identifier (OID).

  4. In Value, select a format, type information in the Value Template box, and then click OK.

  5. In the Certificate SubjectAltName Configuration dialog box, click OK.

  6. In the Custom Module Properties dialog box, in Filter, select a certificate template to apply the policy module to, and then click OK.

noteNote
The SubjectAltName Add Entry dialog box has two sections. One section specifies the type of subject alternative name, and the other section identifies the value that appears in the certificate.

The following table shows the formats for the subject alternative name that FIM CM supports.

ImportantImportant
You must provide the object identifier because it must be included in the certificate.

You must specify a value for each SubjectAltName type. The following table contains the value formats.

SubjectAltName type value formats

Format Description

UTF8String

Typically, this format stores any data that contains Unicode characters, for example, an e-mail address or a URL.

IA5String

Typically, this format is any alphanumeric string. This includes any ASCII characters.

You must enter information in the Value Template box to associate the data to the value of SubjectAltName in the certificate for the user. You can obtain these values from AD DS or from the FIM CM database.

Use the following format for the information in the Value Template box: {User!ActiveDirectoryAttribute}. ActiveDirectoryAttribute is the attribute value in AD DS. The following table contains sample values.

Sample values

Tag Description

{User! email }

Returns the value for the mail attribute of the user for whom the certificate is being issued.

{CLM! ItemName }

Returns the data collection item in the FIM CM data. For example, {CLM!Employee Number} adds the Employee Number that you requested in the profile template to the subject alternative name.

Restart the (AD CS) service (certsvc) in order to implement these changes.

Configure the non-FIM CM Request policy module

You can use the FIM CM Portal to manage certificates when you use FIM CM to register certificates that are issued outside FIM CM.

To configure the non-FIM CM Request policy module

  1. In the Custom Module Properties dialog box, in Provider, click Configure.

  2. In the AutoEnroll Plugin Configuration dialog box, in Database Information, type the connection string for the FIM CM database.

  3. In Profile Template, select the profile template to be assigned to non-FIM CM requests from the list.

  4. In Active Certificates, specify the maximum number of certificates, and then click OK.

  5. In the Custom Module Properties dialog box, in Filter, select a certificate template to apply the policy module to, and then click OK.

    Restart the (AD CS) service (certsvc) in order to implement these changes.

See Also

Community Additions

ADD
Show: