Prepare the FIM CM Agent Certificate Templates

Updated: November 8, 2010

Applies To: Forefront Identity Manager Certificate Management

FIM CM requires accounts that will use the Key Recover Agent and Enrollment Agent and User certificate templates. FIM CM requires three certificates for three of the service accounts used by FIM CM. Because 2 of the certificate templates need to be modified, it is recommended to create duplicates and make the modifications to these. This section will show how to duplicate these certificate templates and how to create and publish FIM CM specific ones.

ImportantImportant
Many organizations use Hardware Security Modules (HSMs) to store the private keys of various critical identities. The certificates with private key material that is stored on an HSM must be generated manually using the HSM vendor’s CSP, they must be backed up for disaster recovery purposes. You should not be following these directions to create your own certificate templates if you are using an HSM. Instead, you should be following the HSM vendor instructions. To see examples for installing specific vendor HSMs, see the following TechNet Wiki articles Installing and Configuring an nCipher Hardware Security Module (HSM) with FIM CM 2010 (http://go.microsoft.com/fwlink/?LinkId=205743) and Installing and Configuring a LunaSA Hardware Security Module (HSM) with FIM CM 2010 (http://go.microsoft.com/fwlink/?LinkId=205745).

Create copies of the Enrollment Agent, Key Recovery Agent, and User certificate templates

  1. Log on to your Certificate Authority with a user account that has permissions to access the CA, to duplicate templates and publish the required templates. Open Server Manager.

  2. In Server Manager, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.

  3. On the right, under Template Display Name, scroll-down and right-click on Enrollment Agent, and select Duplicate Template.

    WarningWarning
    Select Enrollment Agent, not Enrollment Agent (Computer).

  4. This will bring up a dialog box asking to choose between Windows Server 2003 Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.

    Windows 2003 Certificate

  5. This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM Enrollment Agent.

  6. At the top, click the Request Handling tab and place a check in Allow private key to be exported.

    Enrollment Agent allow export

  7. At the bottom, click Apply and click OK. This will close the properties.

  8. Back in Certificate Templates, on the right, under Template Display Name, scroll-down and right-click on Key Recovery Agent, and select Duplicate Template.

  9. This will bring up a dialog box asking to choose between Windows Server 2003 Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.

  10. This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM Key Recovery Agent.

    Key Recovery Agent

  11. At the bottom, click Apply and click OK.

  12. Back in Certificate Templates, on the right, under Template Display Name, scroll-down and right-click on User, and select Duplicate Template.

  13. This will bring up a dialog box asking to choose between Windows Server 2003 Enterprise and Windows Server 2008 Enterprise. Leave the default of Windows Server 2003 Enterprise and click OK.

  14. This will bring up Properties for the New Template. Under Template display name: clear what is in the box and enter FIMCM User.

  15. At the top, click the Request Handling tab and click the CSPs… button at the bottom. This will bring up the CSP Selection window. Place a check in Microsoft Enhanced RSA and AES Cryptographic Provider. Click OK.

    CSP

  16. At the top, click the Subject Name tab and remove the check from Include e-mail name in subject name. Also, under Include this information in alternate subject name: remove the check from E-mail.

    no email

  17. At the bottom, click Apply and click OK.

After creating the certificate templates, these templates must be available for publishing on the Certificate Authority. The following section outlines the procedures to accomplish this.

Publish the copied certificate templates

  1. In Server Manager, under Active Directory Certificate Services, expand corp-DC1-CA right-click Certificate Templates, select New, and Certificate Template to Issue.

    new certificate to issue

  2. This will bring up an Enable Certificate Templates dialog box.

  3. Scroll down until you see the FIMCM certificates. Hold down the CTRL key and click all 3 so that they are all selected.

  4. Click OK.

ImportantImportant
Backup your Key Recovery and FIM CM Agent certificates/keys for disaster recovery purposes.

See Also

Community Additions

ADD
Show: