MIM CM cert renewal issue - "Encryption.Certificate" could not update sucessfully

Question

Dear PKI experts,

We are facing an issue during CM cert renewal. Since the CM certs of "_CMAgent", "_CMKRAgent" and "_CMEnrAgent" will be expired, we are planning to renew them.

Actually the certs are renewed successfully and I can get the new thumbprint. Then I updated the "Signing. cert", "Enrollment.cert", "Smartcard.Exchange. cert“ , "Encryption.cert" with new thumbprint and extended the "Valid cert list" in web.config, the details is as below,

1. "Signing. cert", "Smartcard.Exchange. cert“ -- updated with the new thumbprint of cert renewed by account "_CMAgent"，Let us call it 1st cert.
2. "Encryption.cert" -- updated with the new thumbprint of cert renewed by account "_CMAgent" (this is 2nd cert differing from the signing cert)， **that is the problematic one!!!****
3. "Enrollment.cert" -- updated with the new thumbprint of cert renewed by account "_CMEnrAgent"

After IISRESET, the MIM portal is accessible. However, the following error displays when we wanna edit the smartcard profile to update the Diversify Key (this is the 3rd cert renewed by account "_CMAgent" )

After testing, we narrowed down the issue cause to the 2nd cert -"Encryption.cert" . Once updating this one, the above error appears. so we just roll back this cert to old cert that will be expired soon and keep other certs using new one. Then the overall function is working temporarily.

After a couple of days, I attempted to request a new cert based on cert template "user agent template" under account "_CMAgent", then update the "Encryption.cert" to find out whether the issue is caused by cert template. In fact the above issue is gone!!!
I can edit the smartcard profile and user can renew his smartcard. I assume the issue got fixed.

But a new error was reported as below while a user wanna unblock his smartcard. So I roll back the "Encryption.cert" to old one again, the error got disappeared.

Could you please guide me with the correct direction? How to address the issue I am facing? I am confused with "Encryption.cert" and "Decryption.cert" tag in web.config, once update the "Encryption.cert" with new thumbprint, that will cause user impact. How to update it then?

Thank you!

Answer 1

Hello there,

Can you check if the CNG Key Isolation service is started?

Verbose logging can be very beneficial when troubleshooting a CLM or FIMCM problem. The below article will walk you through the steps to enable verbose logging.

How to Capture a Verbose Log for CM or CLM

https://social.technet.microsoft.com/wiki/contents/articles/4020.fim2010mim2016-how-to-capture-a-verbose-log-for-cm-or-clm.aspx

Also since you renewed the agent certificate with a new private key, that means that you had to put the hash of the new certificate in the web.config file as the Clm.Encryption.Certificate.

Hope this resolves your Query !!

----------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

Hi I suggest you renew the certificate with same key, see https://learn.microsoft.com/en-us/archive/blogs/iamsupport/support-tip-fim-cm-2010-mim-cm-2016-admin-key-diversification-and-certificate-renewal for more information.

Martin

Answer 3

Enable the log one time and get the logs as below, the cert has no private key. So what should I do now? I don't have the pfx format cert. Can I replace it with a new cert with private key? will it impact the current users?

General Information

---

Additional Info:
EnvelopedCMS decryption failed. Fall back to AES method.

1) Exception Information

---

Exception Type: System.Security.Cryptography.CryptographicException
Message: Unable to locate the decryption key.
Data: System.Collections.ListDictionaryInternal
TargetSite: System.Security.Cryptography.Pkcs.ContentInfo DecryptCms(Byte[])
HelpLink: NULL
Source: Microsoft.Clm.Crypto
HResult: -2146233296

StackTrace Information

---

at Microsoft.Clm.Crypto.EnvelopedCmsExtension.DecryptCms(Byte[] encoded)
at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)
"2022-10-24 00:18:13.39 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" ***** 0x000032C4 0x0000000D
Getting certificate: 0x87,0x8D,0x71,0x70,0x7C,0xC5,0xDD,0x0B,0xB6,0x80,0x45,0x92,0x2C,0x44,0x02,0x14,0x15,0xF5,0x08,0x23,.
"2022-10-24 00:18:13.40 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" ****** 0x000032C4 0x0000000D
Opened MY Certificate store for READ access.
"2022-10-24 00:18:13.40 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" ****** 0x000032C4 0x0000000D
Found 1 matching certificates.
"2022-10-24 00:18:13.40 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String DecryptUsingAES(System.String, System.Security.Cryptography.X509Certificates.X509Certificate2)" ******* 0x000032C4 0x0000000D
Unable to perform decryption with certificate 878D71707CC5DD0BB68045922C44021415F50823. Certificate does not have a private key.
"2022-10-24 00:18:13.40 -07" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String DecryptUsingAES(System.String)" ******* 0x000032C4 0x0000000D

General Information

---

Additional Info:
AES fallback failed to decrypt data using certificate: 878D71707CC5DD0BB68045922C44021415F50823.

1) Exception Information

---

Exception Type: System.Security.Cryptography.CryptographicException
Message: Certificate 878D71707CC5DD0BB68045922C44021415F50823 does not have a private key.
Data: System.Collections.ListDictionaryInternal
TargetSite: System.String DecryptUsingAES(System.String, System.Security.Cryptography.X509Certificates.X509Certificate2)
HelpLink: NULL
Source: Microsoft.Clm.BusinessLayer
HResult: -2146233296