A Powerful New Tool for Certificate Management
At a Glance:
- ILM-CM architecture
- Administration and templates
- Creating a workflow
It’s a calm day at work when suddenly you get a call from your help desk support team—a certificate has expired on one of your production systems. Now the system is down, and your company is losing productivity (and money) until you renew the certificate.
If you are responsible for managing a Public Key Infrastructure (PKI) environment, I’m sure you’ve been surprised by a certificate that expired unexpectedly. The calm day—well, that’s a dream now.
When Microsoft added PKI services in Windows® 2000 and Windows Server® 2003, it was a great and inexpensive way for companies to implement their own internal PKI environment. Unfortunately, the Microsoft® PKI services lacked the ability to manage the lifecycle of the certificates that were generated. However, Microsoft recently acquired a certificate management product and then released Identity Lifecycle Manager (ILM), which combined certificate management with the identity provisioning and control features of Microsoft® Identity Integration Server (MIIS). This article will discuss what ILM can do to help manage certificates and smart cards for your organization.
The core of the ILM Certificate Management (ILM-CM) architecture is the ILM-CM server and its related components (see Figure 1). The ILM-CM server can be installed on a single server set up to interface with one or multiple Certification Authorities (CAs). ILM-CM requires SQL Server™, which stores certificate information, policies, and other related data used to manage your certificate environment. To manage users and security permissions, ILM-CM server also requires Active Directory®. See Figure 2 for the required components and versions.
Figure 2 Supporting ILM-CM infrastructure
|Active Directory||Windows Server 2003|
|Database Server||SQL Server 2000 SP3 or higher or SQL Server 2005|
|Certification Authority||Windows Server 2003 Enterprise Edition or Data Center Edition|
Figure 1** ILM-CM architecture **
Once the ILM-CM environment is completely installed, all certificate requests will communicate with the ILM-CM server. The ILM-CM server is responsible for storing all certificate-related information into the SQL Server database, which can be used for further certificate reporting, alerting, and maintaining a workflow environment.
The ILM-CM software architecture essentially consists of three high-level parts: the ILM-CM server, CA plug-ins, and the client-side components. The server software can be installed and run on a CA or on a server that is used primarily for ILM-CM. The ILM-CM server then communicates with the CAs, the SQL Server database, and Active Directory. The server also provides a Web portal that certificate managers use to configure certificate policies and workflows, as well as for certificate subscribers to request and renew software certificates.
In order for the CA to communicate with the ILM-CM server, ILM-CM policy and exit modules must be installed and configured on every CA you want to manage. These two modules are used to record certificate information into the database. When a certificate is issued by a CA, the exit module is responsible for sending that information to the ILM-CM server, which in turn records the certificate information into the database.
If you plan to manage smart cards in your environment, you need to install the ILM-CM smart card client software. This software is required on any client computer that must interact with the ILM-CM server.
Installing the ILM-CM server is actually quite straightforward—a wizard walks you through the process. But before you actually run the wizard, you will need to take care of a few preinstall functions.
The first thing ILM-CM requires is Active Directory and an ILM-CM schema extension. The schema extension adds some additional Microsoft .NET Framework security attributes that ILM-CM needs in order to implement the profile templates.
You also need to install the .NET Framework 2.0, and the components mentioned earlier—SQL Server, CAs, and SMTP server—must also be in place. If ILM-CM is going to be installed on a separate server from the CA, then you must install the ILM-CM modules on the CAs by running the ILM-CM setup wizard on the CAs. Once the installation is complete, you should be able to connect the ILM-CM portal by pointing your browser to http://hostname/CLM.
To enable certificate expiration/renewal notification, you need to configure the ILM-CM service on the ILM-CM server. Start by creating an appropriate account in Active Directory. Go into the ILM-CM services and add that account as the logon account. Then add that user to the local administrators and the IIS_WPG group within the ILM-CM server, as well as to the "Act as part of Operating System, Generate security Audits, and Replace a process level token" using group policies. After the ILM-CM service is set up, the ILM-CM server can scan the SQL Server database for expired certificates and provide e-mail notification to the certificate owners or managers.
ILM-CM is managed through a Web interface, which is divided into functional areas related to user, certificate, and smart card management tasks. When connected to the ILM-CM portal with the appropriate administrative privileges, it displays a number of administrative tasks that let you manage the ILM-CM environment (see Figure 3). The Common Tasks section provides administration options, including enrolling users for a new set of certificates or a smart card. You can also manage and approve requests.
Figure 3** ILM-CM management portal tasks **(Click the image for a larger view)
If you need to locate users or certificates, you use the Manage Users and Certificates tasks area. These tasks give you the capability to find, recover, revoke, or renew certificates. You can also find a revocation list.
If your organization uses smart cards, the Manage User Smart Cards portion is handy. If, for example, a user has locked his card, the certificate manager can unlock the card here. You can also search and view smart cards in the local card reader.
The Requests area of the interface allows certificate managers to review and approve user certificate requests. For example, you could view all certificates contained in a pending state request. The Administration area lets you create and manage profile templates. Finally, the Reports area is, as you’d expect, used to develop and create reports related to users and certificates.
When authenticating to the ILM-CM portal, if your account doesn’t have administrative privileges, you are presented with a subscriber page that offers self-service management functions for certificate users (see Figure 4). From this portal, users can view and manage their certificates and smart cards based on their particular policy configuration. Examples of common tasks include requesting certificates or a smart card, reviewing existing certificates, and changing smart card PINs.
Figure 4** Subscriber portal page for user self-administration **(Click the image for a larger view)
Providing a high-quality, delegated workflow process for issuing, renewing, replacing, revoking, and replacing certificates or smart cards can be a challenge in any organization. With ILM-CM you now have the capability to delegate these tasks to provide a higher assurance of security. Let’s say you have a user who has forgotten his smart card PIN. Using the delegate workflow model, the user could call the help desk support line and the support staff would ask him a few verification questions. If the questions were answered correctly, the support staff could unblock the smart card for the user. Another example of delegated workflow would be recovering a user’s Encrypted File System (EFS) certificate in case of accidental deletion or the loss of a laptop.
A profile template is the fundamental component that enables a full workflow management process for ILM-CM. A profile template is considered to be a single administrative object that contains one or more certificate templates. Profile templates are created and configured to manage how the workflow process should operate in your certificate environment. The key aspect of a profile template is that it can contain multiple certificate templates that can be managed as a single item, which means users can be managed by one template that can track the certificate process through its lifecycle.
Profile templates can be configured to store certificates on a computer (software-based) or on a smart card (hardware-based). You can create these templates by duplicating a sample from the ILM-CM administrator portal. Within the profile template, you can define several different management policy components (see Figure 5).
Figure 5** A profile template **(Click the image for a larger view)
Many of the policy components are applicable to both software and smart card profiles (see Figure 6). Some of these are worthy of additional comment. During the certificate enrollment process, you can use the enroll policy component to define certain criteria regarding how you’d like the enrollment process to flow. For example, you could set up a data collection, which means the user would need to enter information such as department codes, e-mail address, and manager. You could also create definitions that automatically print out an official document once the user has enrolled a certificate.
Figure 6 Software profile policies
|Profile details||Provides the general details of the profile template. This is where you can add one or more certificate templates to the profile template.|
|Duplicate policy||Defines the workflow entities of an existing certificate.|
|Enroll policy||Defines the enrollment process workflow.|
|Online update policy||Similar to the Renew Policy except it can update expiring certificates, certificate content, templates, and smart card applets.|
|Recover on behalf policy||Recovers a user’s private key or certificates.|
|Renew policy||Defines the renew workflow when a certificate expires.|
|Reinstate policy||Defines the process for reinstating a certificate.|
|Recover policy||Defines the workflow for recovering a user certificate stored on a computer was deleted, rebuilt, or stolen.|
|Revoke policy||Defines the workflow for revoking all certificates within a profile.|
The online update policy can be very useful to your organization. It is similar to the renew policy except it can update certificate content, certificate templates, applets on smart cards, and also update the certificate itself when it is about to expire. To fully use this policy, you must enable the ILM-CM service and the web.config file to allow access to a multi-valued attribute in Active Directory. You will also need to install the online update service on the client computer.
The Recover on behalf policy can be handy if your company uses EFS encryption. Suppose someone accidentally deletes his encryption certificate. You could use this policy component to set up a workflow in which the help desk security team requests the user’s private key. The user could then retrieve his private key by receiving an e-mail with a secret password that was generated by the ILM-CM server. Finally, he’d go to a secret Web link on the ILM-CM server to retrieve the certificate with his associated private keys. The Recover on behalf policy is also particularly useful when an employee leaves the organization, but his data needs to be recovered for archival, regulatory, or other purposes.
To provide a more secure renewal process, the renew policy lets you set up and e-mail the one-time password secret key users need to renew their certificates. If you revoke a certificate and then want to reinstate it and remove it from the Certificate Revocation List (CRL), the reinstate policy can define that workflow process.
Two unique policy components associated only with software certificate policies and not smart cards are the recover policy and the revoke policy. If a user certificate stored on a computer is deleted or the computer itself is rebuilt or stolen, the recover policy could define the process for restoring the certificate or keys if archived on the CA. The revoke policy lets the administrator set a static revocation reason or allow the person performing the revocation request to designate the reason at the time of the revocation.
There are five additional management policies that are specific to smart card profile templates, as shown in Figure 7.
Figure 7 Smart card profile policies
|Replace policy||Defines the profile in the event that a user’s smart card is lost or stolen.|
|Disable policy||Defines the process of disabling certificates on a smart card prior to their expiration.|
|Retire policy||Defines the process for revoking all certificates on a smart card.|
|Unblock policy||Defines who can unblock a smart card’s user PIN.|
|Temporary cards policy||Defines a short-term replace smart card. The user receives new signing certificates but would be able to decrypt their data by getting the existing profile encryption certificates.|
You can define several different operations for the retire policy, like erasing user data on the smart card, blocking the user and administrative PINs, and resetting the administrative PIN. The unblock policy is typically used if a user has forgotten his PIN or a new card has been shipped with a PIN assigned by the ILM-CM. The user then requests to have the smart card unblocked.
As with any administrative product, reporting is a very useful feature. The ability to capture a snapshot of your certificate or smart card environment is very important to any organization. ILM-CM comes with several built-in reports that include smart card inventories, request summaries, certificate usage and expiration, and a number of others. As with other reporting systems, if you need additional reports, you can write a custom query since all the data is stored in a SQL Server database.
Developing a Workflow
Now let’s look at how ILM-CM can help define a productive workflow process. Say you have several system administrators who are responsible for managing and maintaining SSL certificates for their systems. The first question to ask is: What are the key aspects of the process?
Depending upon the type of system, the process may require different methods for creating the certificate request file. So the first task is to develop an intranet page that has detailed instructions on how to create the certificate request for all the systems.
Once the administrator creates the request file, he can submit it to the ILM-CM user portal for certificate approval. Using the ILM-CM workflow process, the administrator can define several approvers that need to verify and approve a certificate request. After a certificate is approved, the user can retrieve the certificate from the ILM-CM. Since the ILM-CM places the certificate information into a SQL Server database, administrators are able to retrieve historical information.
One year later, when the certificate approaches its expiration period, the ILM-CM will send an e-mail notification to the requester informing him that the certificate is about to expire and the he must renew. Putting this workflow process in place will help prevent those occasions when certificates expire unexpectedly and ruin your day.
If your company is using a Microsoft PKI environment, ILM-CM can help manage it. ILM-CM allows organizations to improve security authentication processes and reduce the costs and complexity of digital certificates and smart card management. ILM-CM will also be the foundation to develop certificate and smart card workflow processes that so many companies lack today.
Microsoft has also implemented external API support for ILM-CM. If your organization uses custom applications, you may be able to interface those applications to take advantage of the ILM-CM API support.
Kevin Dallmann is a Senior Systems Engineer consultant for Accenture and is primarily responsible for supporting Active Directory and PKI environments for large enterprise environments. Kevin holds the MCSE and MCT certifications and he also teaches Microsoft courses.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.