Share via

Deploying multiple CAs for FIM CM

  • Article

Applies To: Forefront Identity Manager Certificate Management

Important

This procedure is for multiple Microsoft CA configurations. This procedure is not meant for third-party CAs.

The FIM CM Configuration Wizard performs the following primary configuration tasks on CAs automatically:

  • Grants the required user rights to the CM agent, CA Manager, and enrollment agent user accounts.

  • Enables key archival for the default key recovery agent certificate.

You can use the FIM CM Configuration Wizard for the CA that you deploy first. However, when you deploy other CAs, you must manually grant permissions to the CM agent, CM CA Manager, and the CM enrollment agent user accounts.

Note

You may rename the default FIM CM user accounts.

You must grant each CM agent user account the required permissions to ensure that the user account is correctly configured for FIM CM. The following table shows the FIM CM agent user accounts and corresponding required permissions.

CM agent user accounts and required CA permissions

CM agent user account Permission

cmAgent (CM agent)

Issue and Manage Certificates

cmCAMngr (CM CA Manager)

Manage CA

cmEnrollAgent (CM enrollment agent)

Read

Request Certificates

Important

You must assign the required permissions on every CA in your organization, including the new CA.

To assign CA permissions to a CM agent user account

  1. Log on to the CA as a domain administrator.

  2. Click Start, point to Administrative Tools, and then click Certification Authority.

  3. In the console tree, right-click CAName, and then click Properties.

  4. In CAName Properties, click the Security tab.

  5. In Group or user names, select the FIM CM agent user account that you want to adjust permissions for, and then, in Permissions for UserName, select the permission.

    Table 13 shows the permissions that you must configure for the FIM CM agent user accounts.

  6. Click OK when you are finished.

To deploy subsequent CAs for FIM CM

  1. Log on to the new CA as an administrator who is assigned the Manage CA permission.

  2. Click Start, point to Administrative Tools, and then click Certification Authority.

  3. Right-click the CA, and then click Properties.

  4. On the Key Recovery Agent tab, select Archive the key, click Add, and then select the key recovery agent certificate that is issued to the clmkragent user account.

    Note

    This certificate should exist in the personal store of the clmkragent on the FIM CM Web server.

  5. Restart the CA.

Previous topic

Optional: Configuring Additional CA Settings and Modules

Next topic

Configuring FIM CM Groups, Templates, and Permissions

See Also

Concepts

Installing and Configuring FIM CM Infrastructure