How to Import an External Certificate

Applies To: Forefront Identity Manager 2010, Forefront Identity Manager Certificate Management

What This Document Covers

This document describes a process for importing external certificates into the Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) system. It also describes the configuration that is required in profile template settings to make external certificates available in new profiles that are created for users.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

To complete the procedures in this document, you should understand and be familiar with the following:

  • Certificate management concepts


This document is intended for information technology (IT) planners, systems administrators, system architects, technology decision-makers, consultants, infrastructure planners, and IT personnel.

Time requirements

The amount of time that is required to implement the procedures in this document depends on how much of your setup is already in place. To set up your configuration with the following prerequisites takes about 30 minutes:

  1. The FIM infrastructure is in place (especially, that CM is set up and configured).

  2. You have the foreign certificate exported with a private key included in .p12 or .pfx, and you know the password.

  3. You have access to accounts that have the appropriate permissions to manage the certification authority (CA) and view tables in the CM database.

Importing the external encryption certificate

To import the external encryption certificate, complete the following procedure.

To import the external encryption certificate

  1. You must first create a new certificate template in the CA so that you can use its object identifier (OID) when you set the value of DefaultCertificateTemplateOID later in this procedure.

    1. On the CA server, open the Certification Authority console. To open the console, click Start, click Administrative Tools, and then click Certification Authority.

    2. In the console tree, double-click Certification Authority and CA objects. Right-click Certificate Templates, and then click Manage. The Certificate Templates console appears.

    3. In Template Display Name, right-click the certificate template that most closely corresponds with the type of foreign certificate that you plan to import. Typically, this is the User certificate. Then, click Duplicate Template.


      If the Duplicate Template dialog box appears, prompting you to create a certificate that is compatible with Windows Server® 2003 Enterprise Edition or Windows Server 2008 Enterprise, click Windows Server 2003, and then click OK.

    4. In Template Display Name, type Foreign Certificate Import Template or a different name that is more appropriate for your environment.

    5. Click Extensions, and then, in Extensions Included in this Template, click Certificate Template Information. In Description of Certificate Template, copy the Object identifier number string.

    6. Make any other changes to settings that you think are appropriate for your environment, and then click OK.

  2. Open the CLMUtil.exe.config file in Notepad or another text editor. By default, the CLMUtil.exe.config file is located in <program files>\Microsoft Forefront Identity Manager\2010\Certificate Management\Bin. Add or replace the following information in the file:

    1. Replace the DefaultCertificateTemplateOID value, which is by default, with the OID that you copied from the template that you created.

    2. Set appropriate file system paths for CertImportDebugFile, ImportPfxSuccessDirectory, and ImportPfxReportFileName, which have the following default settings:

      <add key="CertImportDebugFile' value="e:\debug.txt" />
      <add key="ImportPfxSuccessDirectory' value="e:\success" />
      <add key="ImportPfxReportFileName' value="e:\success\report.txt" />
    3. Insert a DatabasePath value between the quotation marks, as shown in following illustration. You can enter a protected registry path from the Web.config file, which is located in *<program files>\*Microsoft Forefront Identity Manager\2010\Certificate Management\Web, by default. In the Web.config file, locate the setting for Clm.DataAccess.ConnectionString and use that as the DatabasePath, as shown in the following figure. The following is an example of a completed CLMutil.exe.config file, including a protected registry string:

      Sample ClmUtil.exe configuration

      As an alternative, you can insert a specific connection string for DatabasePath to the database to which you want to connect. For more information, see Using the CLMUtil Command-Line Tool (

    4. Save and close the ClmUtil.exe.config file when you complete the changes.

  3. Ensure that the CA is configured to accept foreign certificates:

    1. Open a command prompt, and run the following command:

      certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

      You should see a message indicating that the certutil: -setreg command completed successfully. The message also indicates that CertSvc may have to be restarted.

    2. Restart CertSvc. To restart CertSvc, run the following command:

      net stop certsvc && net start certsvc

  4. Run the CLMUtil.exe command with the importpfx option on the certificate file to import (.pfx or .p12). The command syntax is as follows:

    clmutil.exe –importpfx <pathtocertificate>\<certfilename> <password> <CAServerName>\<CAName> <UserPrincipalName>

    For example, to import a certificate named cert.pfx from a folder path of c:\certs, that has a private key password of P@ssw0rd, for a user with a User Principal Name (UPN) of, using a CA named Denver-CA, running on the computer named, use the following command:

    clmutil.exe -importpfx c:\certs\cert.pfx P@ssw0rd\Denver-CA

    This command creates an entry for the imported certificate in the Certificates table of the FIM CM database.


    1. You can use importpfxbatch to import multiple .p12 files into a specified directory. For more information, see Using the CLMUtil Command-Line Tool (

    2. The clmutil.exe command is case sensitive for the host and CA names and the password. You can obtain the connection names and case necessary for the clmutil.exe command to work from the computer that hosts the FIM CM database.

      To perform the following procedure, you must use an account that has permission to manage the FIM CM database.

      To obtain the correct CA server name and the CA name

      1. Open the Microsoft® SQL Server® Management Studio console. To do this, click Start, type SQL Server Management Studio, and then click SQL Server Management Studio when it appears on the Start menu.

      2. In Object Explorer, double-click the items in the following path: <Database Server>\Databases\FIMCertificateManagement\Tables.

      3. Right-click dbo.CertificateAuthority, and then click Select Top 1000 Rows.

      4. Look in the Results at the ca_server_name and ca_name, as shown in the following figure.

      Imported certificate for userA on FIM CM portal

  5. Verify that the certificate was added under Individual Certificates in the User Details page for the user in the FIM CM portal.

    To verify that the certificate was added

    1. On a computer that has access to the Certificate Management portal, open Internet Explorer.

    2. Navigate to the FIM CM Portal (https://< hostname>/certificatemanagement), where <hostname> is the name of the server or cluster that hosts the FIM CM Portal. If you are using the server that is hosting the portal, you can substitute localhost or for the <hostname>.


      If you receive a certificate error warning, ensure that you entered the correct server name, and then click the Continue to this Website (not recommended) link.

    3. If necessary, click the click to enter link to go to the FIM CM site.

    4. Click the Find a user to view or manage their information link.

    5. In E-mail address, enter the e-mail address of the user that you configured with the certificate, and then click Search. As an alternative, you can enter whatever information you know about the user, and then search.

    6. When the user account is located, you should see the details of the certificate that you imported in the Individual Certificates section.


    If you click an external certificate, the Certificate Details page for that certificate opens. From there, the certificate can be downloaded as a .cer file with the public key only. It does not include the private key. This is useful if you want to share the public key with other users who may need to encrypt a message to the user or confirm a signed message from the user.

  6. Configure the profile template settings to allow for external certificates.

    To configure the profile template

    1. In the FIM CM Portal, click Main Menu.

    2. Under the Administration heading, click the Manage profile templates link.

    3. Modify the template that you will use for the user account. For example, if you plan to issue a certificate for a smart card, you would select that template. By default, there is a FIM CM Sample Smart Card Logon template, which does support smart card logon. There is also a FIM CM Sample Profile Template, which does not support smart card logon.

    4. Click the Change general settings link.

    5. In External Certificates, set Maximum number of external certificates to a positive, nonzero number. Set the number to the maximum number of external certificates that you expect any user who will be issued certificates under this template may need.