MIM CM cert renewal issue - "Encryption.Certificate" could not update sucessfully

Michael Ma 1 Reputation point

Dear PKI experts,

We are facing an issue during CM cert renewal. Since the CM certs of "_CMAgent", "_CMKRAgent" and "_CMEnrAgent" will be expired, we are planning to renew them.

Actually the certs are renewed successfully and I can get the new thumbprint. Then I updated the "Signing. cert", "Enrollment.cert", "Smartcard.Exchange. cert“ , "Encryption.cert" with new thumbprint and extended the "Valid cert list" in web.config, the details is as below,

  1. "Signing. cert", "Smartcard.Exchange. cert“ -- updated with the new thumbprint of cert renewed by account "_CMAgent",Let us call it 1st cert.
  2. "Encryption.cert" -- updated with the new thumbprint of cert renewed by account "_CMAgent" (this is 2nd cert differing from the signing cert), **that is the problematic one!!!****
  3. "Enrollment.cert" -- updated with the new thumbprint of cert renewed by account "_CMEnrAgent"

After IISRESET, the MIM portal is accessible. However, the following error displays when we wanna edit the smartcard profile to update the Diversify Key (this is the 3rd cert renewed by account "_CMAgent" )

After testing, we narrowed down the issue cause to the 2nd cert -"Encryption.cert" . Once updating this one, the above error appears. so we just roll back this cert to old cert that will be expired soon and keep other certs using new one. Then the overall function is working temporarily.

After a couple of days, I attempted to request a new cert based on cert template "user agent template" under account "_CMAgent", then update the "Encryption.cert" to find out whether the issue is caused by cert template. In fact the above issue is gone!!!
I can edit the smartcard profile and user can renew his smartcard. I assume the issue got fixed.

But a new error was reported as below while a user wanna unblock his smartcard. So I roll back the "Encryption.cert" to old one again, the error got disappeared.

Could you please guide me with the correct direction? How to address the issue I am facing? I am confused with "Encryption.cert" and "Decryption.cert" tag in web.config, once update the "Encryption.cert" with new thumbprint, that will cause user impact. How to update it then?

Thank you!

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
642 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
424 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 44,081 Reputation points

    Hello there,

    Can you check if the CNG Key Isolation service is started?

    Verbose logging can be very beneficial when troubleshooting a CLM or FIMCM problem. The below article will walk you through the steps to enable verbose logging.

    How to Capture a Verbose Log for CM or CLM


    Also since you renewed the agent certificate with a new private key, that means that you had to put the hash of the new certificate in the web.config file as the Clm.Encryption.Certificate.

    Hope this resolves your Query !!


    --If the reply is helpful, please Upvote and Accept it as an answer–

  2. Martin Rublik 316 Reputation points

  3. Michael Ma 1 Reputation point

    Enable the log one time and get the logs as below, the cert has no private key. So what should I do now? I don't have the pfx format cert. Can I replace it with a new cert with private key? will it impact the current users?

    General Information

    Additional Info:
    EnvelopedCMS decryption failed. Fall back to AES method.

    1) Exception Information

    Exception Type: System.Security.Cryptography.CryptographicException
    Message: Unable to locate the decryption key.
    Data: System.Collections.ListDictionaryInternal
    TargetSite: System.Security.Cryptography.Pkcs.ContentInfo DecryptCms(Byte[])
    HelpLink: NULL
    Source: Microsoft.Clm.Crypto
    HResult: -2146233296

    StackTrace Information

    at Microsoft.Clm.Crypto.EnvelopedCmsExtension.DecryptCms(Byte[] encoded)
    at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)
    "2022-10-24 00:18:13.39 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" ***** 0x000032C4 0x0000000D
    Getting certificate: 0x87,0x8D,0x71,0x70,0x7C,0xC5,0xDD,0x0B,0xB6,0x80,0x45,0x92,0x2C,0x44,0x02,0x14,0x15,0xF5,0x08,0x23,.
    "2022-10-24 00:18:13.40 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" ****** 0x000032C4 0x0000000D
    Opened MY Certificate store for READ access.
    "2022-10-24 00:18:13.40 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" ****** 0x000032C4 0x0000000D
    Found 1 matching certificates.
    "2022-10-24 00:18:13.40 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String DecryptUsingAES(System.String, System.Security.Cryptography.X509Certificates.X509Certificate2)" ******* 0x000032C4 0x0000000D
    Unable to perform decryption with certificate 878D71707CC5DD0BB68045922C44021415F50823. Certificate does not have a private key.
    "2022-10-24 00:18:13.40 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String DecryptUsingAES(System.String)" ******* 0x000032C4 0x0000000D

    General Information

    Additional Info:
    AES fallback failed to decrypt data using certificate: 878D71707CC5DD0BB68045922C44021415F50823.

    1) Exception Information

    Exception Type: System.Security.Cryptography.CryptographicException
    Message: Certificate 878D71707CC5DD0BB68045922C44021415F50823 does not have a private key.
    Data: System.Collections.ListDictionaryInternal
    TargetSite: System.String DecryptUsingAES(System.String, System.Security.Cryptography.X509Certificates.X509Certificate2)
    HelpLink: NULL
    Source: Microsoft.Clm.BusinessLayer
    HResult: -2146233296

    0 comments No comments