FIM smart card management guide

Microsoft has a complete solution called Forefront Identity Management/ Certificate Management or FIM CM to manage the life cycle of issuing digital certificates and smart cards. FIM smart card management is a complicated topic as there are many operations that you can perform on a smart card. In this blog post, I will guide you through each smart card operation and what exactly will happen to the digital certificates inside the smart cards.

The diagrams will use E to indicate an encryption certificate and S to indicate signing certificate.

• PERM : mean permanent smart card
• DUB : means duplicate smart card
• REP: means replaced smart card
• Red line across the certificate: means revoked certificate

Smart Card Replacement

FIM smart card management – smart card replacements. let us assume that FIM portal is configured with the following settings:

• Workflow: Duplicate Revocation Settings: Not configured
• Workflow: Revocation Settings:
  • Set old card or profile status to disabled.
  • Revoke old certificates.
• Workflow: General:
  • Re-issue archived Certificates.

Now, this is what will happen. If you have a smart card with E1 and S1 (Encryption and signing certificates inside the smart card), and you happen to have a duplicate smart card (DUB) with of course E1 and S2 (the same encryption certificate but different signing certificate), then replacing the permanent smart card will do what the figure shows.

• Upon replacing your permanent smart card, the encryption certificate E1 will be revoked on the permanent and duplicate smart card and the signing certificate on the permanent smart card will be revoked (S1) while the signing certificate on the duplicate smart card will not be touched. The final replacement card will contain a new signing certificate (S3) and a new encryption certificate (E2) and a copy of the old E1 encryption certificate to be used to decrypt any content that was encrypted using E1. New encryption though will be using the new E2. Note that you can always decrypt using a revoked certificate. The permanent card will be set to Disabled state if you configured the workflow revocation settings in FIM portal to (Set old card or profile status to disabled)
• If you replace the duplicate smart card though, the opposite will happen.
• If you now duplicate the replacement smart cared, a new signing certificate will be issued (S4) and the remaining is the same.

Note : Since signing certificates are not archived at the CA (this is what you should configure the CA to do), then you will always have a new signing certificate no matter what the operation you are doing to the smart card is.

Smart Card Retirement

FIM smart card management – smart card retirement. That is when the employee resign and you want to retire his smart card.

Scenario 1 : Retire a duplicate smart card 

1. Revoke all certificates on the Duplicate Card – Duplicate smart card will not be anymore assigned to the user – smart card doesn’t have any certificates as they are deleted.
2. Disable the permanent Smart Card (which will revoke all certificates on the card) –Permanent smart card will still assigned to the user –smart card still have certificates but are revoked so they can be used to recover encrypted files.

Scenario 1 : Retire a permanent card that has a duplicate smart card

1. Revoke all certificates on the Permanent Card – Permanent Card will not be anymore assigned to the user – smart card doesn’t have any certificates as they are deleted.
2. Disable the Duplicate Smart Card (which will revoke all certificates on the card) –Duplicate smart card will still assigned to the user –smart card still have certificates but are revoked so they can be used to recover encrypted files.

 

Disable Smart Card

FIM smart card management – smart card disable. This will happen when the smart card is lost and you want to disable it, to prevent unauthorized use of certificates on that smart card.

When disabling a smart card, everything will be revoked.

Duplicate Smart Card

FIM smart card management – smart card duplication. In case you want to have two smart cards, one at home and one at office.

FIM will recover the same Encryption certificates (if archived) and will always issue new signing certificates.

Online Update a Smart Card – Case 1

Assumptions

User X is enrolled for two smart cards,  in which one of them is Duplicate. The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action

Administrator performed online update for the PERM card and clicked (Certificate Content Change) and chose to update only (Signing Certificate Template).

What will happen

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should logon to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card). The user then should insert his permanent smart card and choose to execute the first approved online update, and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the encryption certificate non touched. But both signing certificates on the smart cards will be revoked and deleted and new ones issued and printed on the smart cards as shown on the figure below.

Online Update a Smart Card – Case 2

Assumptions

The next FIM smart card management scenario is: user X is enrolled for two smart cards, in which one of them is Duplicate. The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action

Administrator performed online update for the PERM card and chooses (Certificate Content Change) and chooses to update only (Encryption Certificate Template).

What will happen

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should logon to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card). The user then should insert his permanent smart card and choose to execute the first approved online update ,and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the signing certificates non touched. But the encryption certificate (E1) will be revoked and kept on the smart cards for recovery usage. Now, a new encryption certificates E2,E3 will be issued and printed on the cards as shown on the figure below.

The user will end up with two cards and with two encryption certificates E1 and E2. To solve this ,you can now retire Smart card DUB (this will revoke and delete S2,E2) and then duplicate the PERM card. After all is done, the DUB card will have ( S3,E2, and the revoked E1).

 

Online Update a Smart Card – Case 3

Assumptions

The next FIM smart card management scenario is: user X is enrolled for two smart cards , in which one of them is Duplicate. The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template).

Action

Now the administrator deleted the signing certificate from the profile template and initiated an online update of the smart card (doesn’t matter if it is the PERM card or the DUB card).

What will happen

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should login to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card). The user then should insert his permanent smart card and choose to execute the first approved online update, and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the signing certificates revoked and deleted. The encryption certificate is not touched.

Online Update a Smart Card – Case 4

Assumptions

The next FIM smart card management scenario is: user X is enrolled for two smart cards, in which one of them is Duplicate. The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template).

Action

Now the administrator deleted the Encryption certificate from the profile template and initiated an online update of the smart card (doesn’t matter if it is the PERM card or the DUB card).

What will happen

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should logon to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card). The user then should insert his permanent smart card and choose to execute the first approved online update, and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the Encryption certificates revoked and deleted. The signing certificates is not touched.

Final Thoughts

FIM smart card management is essential knowledge if you want to manage smart cards in your environment. We talked about different possible operations on smart cards, and how each operation affects the digital certificates residing inside the smart card.