Understanding Third-Party Certification Authority Extensions
Applies To: Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management
This document assumes that you have a basic understanding of Microsoft® Forefront® Identity Manager (FIM) 2010 and Microsoft® Forefront Identity Manager Certificate Management (FIM CM).
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
This guide is intended for information technology (IT) planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM CM by using third-party certification authority (CA) support.
A fictitious company, Fabrikam, needs to deploy a strong authentication solution for logical access to its network because of industry-specific regulations. Fabrikam licenses FIM 2010 from Microsoft and uses FIM 2010 to issue and manage smart card–based Windows Logon certificates from an internal Windows 2003 Certificate Services CA. FIM CM is configured with a Corporate Profile Template that encapsulates required business processes for issuing and managing user smart cards. Because of industry-specific regulations, a subset of Fabrikam users are required to use IdenTrust-issued certificates. Fabrikam wants to use FIM 2010 as the single management interface for certificate and smart card issuance, hiding CA-specific particulars from certificate managers and end users. Fabrikam develops an IdenTrust FIM 2010 connector according to the public FIM CM Provision API documentation and installs and configures the connector on the internal FIM CM server. The Corporate Profile Template is modified to include two additional certificate templates (Identity and Utility) from an IdenTrust CA. Fabrikam users are issued two additional IdenTrust certificates as part of their standard FIM CM enrollment process. Moreover, the end users are not aware of what CAs the certificates are issued from because the FIM CM hides the public key infrastructure (PKI) complexities.
The functionality and user experience of installing FIM CM with this feature implemented for the first time is identical to the Certificate Lifecycle Manager (CLM) installation from the Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) Feature Pack 1 distribution.
Fabrikam has already deployed FIM CM from the FIM 2010 distribution. The FIM CM Readme file that is included in the FIM 2010 media contains a link to the upgrade instructions. An administrator upgrades the FIM CM server installation by running the setup program that preserves FIM CM configuration files. The administrator also runs a separate script/batch file that makes changes to the FIM CM database. The FIM CM client software does not require an update.
Fabrikam develops a third-party CA connector according to the Certificate Management SDK documentation. The compiled Microsoft .NET assembly is copied to the bin and Web\bin folders.
Fabrikam requires two separate certificates to be issued from the third-party CA, Utility and Identity. They have different key sizes and enhanced key usage (EKU) extensions. The Fabrikam administrator creates two certificate template definitions in Active Directory® directory service schema by using the Certificate Template Management Microsoft Management Console (MMC) snap-ins, FabrikamIdentity and FabrikamUtility. The templates are configured per their requirements.
You can make the third-party CA available in the FIM CM profile template management interface by running the FIM CM command-line tool that adds or updates third-party CA connector registration data and displays the caId (int) of the registered connector.
CLMUtil -addca AssemblyName [-templates TemplateList] [-config data]
AssemblyName is the name of a .NET assembly that is located in the bin and Web\bin folders. This assembly must contain public classes that implement the required interface.
TemplateList is the comma-separated list of certificate templates (common names) that can be used to request certificates from the given third-party CA. By omitting this parameter, you signify that all certificate templates can be used to request certificates.
Data is a free-form configuration string that is passed to the connector during the initialization phase. This string cannot be longer than 256 characters.
Specifically, for this scenario, the Fabrikam administrator runs the following command:
CLMUtil -addca FabrikamGateway.dll -templates FabrikamIdentity,FabrikamUtility -config settings.xml
Running this command registers FabrikamGateway.dll as a third-party CA connector, specifies that the settings.xml string will be passed to this connector at the initialization phase, and specifies that the connector can issue certificates according to the FabrikamIdentity and FabrikamUtility certificate templates. After you run this command, the third-party CA appears in the profile template configuration pages just like the already configured Microsoft CAs.
The enrollment experience is identical to Microsoft CA–only scenarios. If the configured third-party CA connector does not support a specific feature that is required during this process, the user sees an error message that is logged to the FIM CM event log.
Recovery experience is identical to Microsoft CA–only scenarios. If the configured third-party CA connector does not support a specific feature that is required during this process such as key recovery, the user sees an error message that is logged to the FIM CM event log.
The Disable (Revoke) experience is identical to Microsoft CA–only scenarios. If the configured third-party CA connector does not support a specific feature that is required during this process, such as certificate revocation list (CRL) publishing, the user sees an error message that is logged to the FIM CM event log.
Configuration operations are composed of combinations of these three atomic operations. For example, to duplicate a profile you use enroll and recover. You can replace a lost profile by using enroll, revoke, and recover.
The View certificate experience is identical to Microsoft CA–only scenarios. If the configured third-party CA connector does not support a specific feature that is required during this process, such as retrieve published certificate, the user sees an error message that is logged to the FIM CM event log.
The CRL Report user experience is identical to Microsoft CA–only scenario. The user selects a third-party CA from a drop-down list, and available CRL reports appear. If the configured third-party CA connector does not support retrieving CRLs, the user sees an error message that is logged to the FIM CM event log.
Update Certificate Status
The Fabrikam administrator revokes user’s certificates by using third-party CA management software. Subsequently, the administrator views the user’s certificates by using the FIM CM interface. The interface correctly displays the certificate’s status as revoked.
If the user’s certificate was revoked using the Disable (Revoke) operation, or if the Fabrikam administrator uses the 3rd party CA management software, the resulting view will be the same and the interface will correctly display the certificate status.
Duplicate, Online Update, Recover On Behalf, Renew Policies
The user experience for these policies is identical to Microsoft CA–only scenarios. If the configured third-party CA connector does not support a specific feature that is required during this process, such as key archival or recovery, the user sees an error message that is logged to the FIM CM event log.
Implementing the .NET Assembly
The following section describes the concepts and steps necessary to implement the .NET assembly that you will build to support the third-party CA functionality.
Third-Party CA Interfaces
The third-party CA interface, ICertificateServer, is documented in the Certificate Management SDK. Third-party CA developers must create a single .NET assembly that implements this interface. In addition, the ICertificateServer interface provides methods and properties that you can use to query information about connectors. This assembly must be placed into the bin and Web\bin folders.
FIM CM loads this connector assembly and call methods of the ICertificateServer interface when it runs certificate management operations for certificates that are issued from a registered third-party CA.
Grouping of Operations
The caller can use the methods of ICertificateServer to specify multiple certificate requests or certificates in a single method call. FIM CM uses this feature, grouping calls to the same third-party CA connector into a single method call. This construction supports CAs that require two or more certificate requests for successful enrollment.
Most CAs support concepts similar to the concept of a certificate template (certificate profile and such). FIM CM supports various options that can be configured by using Active Directory certificate templates, including key sizes, archival options, enrollment agent support, and so on. Moreover, the FIM CM client creates CMC (Certificate Management protocol using Cryptographic Message Syntax (CMS)) certificate enrollment requests that include certificate template information as part of the encoded request. Therefore, the conceptual model for the third-party CA support includes the use of Active Directory certificate templates. In essence, a third-party CA issues and manages certificates by using one or more certificate templates that are stored and configured in Active Directory. Naturally, it is possible that the third-party connector implementation will map Active Directory certificate templates to a third-party CA–specific certificate profile.