FAQ for FIM 2010 to support SHA2, KSP/CNG and v3 certificate templates for issuing user and agent certificates and MIM 2016 upgrade
~ Milan Milosavljevic | Senior Escalation Engineer
Hi everyone, Milan Milosavljevic here from the Microsoft Platform AD Identity support team. I’d like to take a minute to clarify a couple common questions we get regarding upgrade support for Microsoft Identity Manager 2016 (MIM 2016). This includes how to handle the deprecation of the Forefront Identity Manager 2010 Certificate Management (FIM CM) management agents as well as SHA2 support.
Question: Does FIM CM 2010 R2 SP1/MIM CM 2016 support user certificates signed using SHA2?
Answer: Yes. SHA2 support is provided by configuring the issuing CA to issue SHA2 certificates. No additional action is required on FIM CM 2010 or MIM 2016. It means that FIM CM 2010 R2 SP1/MIM CM 2016 can work with SHA2 PKIs.
Question: Does FIM CM 2010 R2 SP1/MIM CM 2016 support CM agent certificates (cmagent, cmenrollmentagent and cmrecoveryagent) signed using SHA2?
Answer: Yes. This means that FIM CM 2010 R2 SP1/MIM CM 2016 can work with SHA2 PKIs. Please note however that if you want to change hash algorithms for the agents after the upgrade, you will need to replace or renew the certificates. For more information see https://technet.microsoft.com/en-us/library/hh149034(v=ws.10).aspx.
Question: Does FIM CM 2010 R2 SP1/MIM CM 2016 support user certificates issued with KSP/CNG keys and v3 (and newer) certificate templates?
Answer: Partially. User certificates can use KSP, but only with RSA. This means the corresponding certificate template (v3 or newer) in its Cryptography tab can be configured with “Provider Category = Key Storage Provider” but “Algorithm Name” must be “RSA”. Selecting any of ECDH algorithms (ECDH_P256, ECDH_P384, ECDH_P521) as “Algorithm Name” is not supported.
The same support statement applies to FIM CM 2010 R2 SP1 and to MIM CM 2016.
The same support statement (RSA only) applies to 3rd Party software and hardware KSPs.
The reason why other algorithms (ECDH and ECDSA) are not supported are different for the smartcard and software profiles:
- For smartcard profiles, CM client uses CryptoAPI which doesn’t support elliptic curves.
Question: Does FIM CM 2010 R2 SP1/MIM CM 2016 support CM agent certificates (cmagent, cmenrollmentagent and cmrecoveryagent) issued with KSP/CNG keys and v3 (and newer) certificate templates?
Answer: KSP/CNG is not supported with CM agent certificates. This limitation exists because the .NET Framework X509Certificate2 class does not support certificates associated with a CNG private key provider. V3 (or newer) certificate templates can be used but the Cryptography tab in “Provider Category” must reference “Legacy Cryptographic Service Provider”.
Question: Is an in place upgrade from FIM CM 2010 R2 Service Pack 1 to MIM CM 2016 possible?
Answer: Yes, assuming you’re on the latest build of FIM CM 2010 R2 SP1. You only need run the CM installation and make sure to check the migration checkbox in the setup wizard and FIM CM 2010 will be migrated to MIM CM 2016. Prior to performing the upgrade, please make sure that your FIM CM backup is current and complete, including the FIM CM database, agent accounts and certificates/keys, as well as the FIM CM configuration files.
Question: What is the official recommendation for replacement of FIM CM management agents?
Answer: FIM CM management agents (MAs) have been deprecated in MIM 2016. As an alternative, you can create similar functionality using the FIM CM Provision API (https://msdn.microsoft.com/en-us/library/windows/desktop/bb468091(v=vs.100).aspx) or the FIM CM SQL API (https://msdn.microsoft.com/en-us/library/windows/desktop/bb468093(v=vs.100).aspx).
Milan Milosavljevic | Senior Escalation Engineer | Microsoft