Forefront Identity Management – Certificate Management Part 1
Forefront Identity Management – Certificate Management
Forefront Identity Management – Certificate Management 2010, or FIM CM, is a management interface between administrators and the certificate authority services. In other words, FIM CM will proxy your requests to the certificate authority services, and by using proxy I mean from interface perspective and from security context perspective.
It is clear to all of us that Microsoft Certificate Authority Server, especially before the Windows Server 2008 becomes RTM, lacks many features and auditing requirements.
In the days of Windows Server 2003 Certificate Authority, you must enroll for enrollment agent certificate and give it to the person who will be enrolling smart cards in your company. This approach is not good enough, since gaining access to that enrollment certificate means that being able to enroll for anyone in the corporate. Imagine if this certificate gets compromised. This approach doesn’t scale well if you have global corporate and you want the admins in Europe to enroll for users in their region only, while the admins in Dubai to enroll for users in the middle east.
Although Microsoft Windows Server 2008 R2 came with a great feature called (Restricted Enrollment Agents) to restrict each enrollment agent certificate to a specific users and group, the need still exists for a management approach when it comes to certificates and smart card enrollment.
FIM CM extends the functionality of the Certificate Authority Services that exists out of the box with Windows, by adding workflow approach, auditing capabilities ,notifications, and introducing many management roles like request renew smart card, request smart card offline unblock and more. All this can be defined inside a management policy approach by utilizing something called (Profile Templates) inside FIM CM.
Besides extending the functionality, FIM CM acts as a security context proxy, by using the concept of FIM CM Agents. Every action that FIM CM performs, is done in the context of one of FIM CM Agents. Those agents are also used to sign and encrypt traffic between the FIM server and the FIM database server, and between the FIM server and the CA server, besides encrypting some data inside the FIM SQL database itself.
Because FIM CM is using those agents for almost all operations, FIM agents need to be enrolled for Encryption and Signing certificates, Enrollment Agent certificates and Key Recovery Agent certificates. Those certificates can be protecting by HSM as gaining access to the enrollment agent certificate is very dangerous. System administrators only need to have a management role on the FIM CM management policies and they don’t need to have enrollment agent certificates anymore, because the enrollment agent certificate is now owned and managed by FIM CM agents (via HSM if needed).