Web Abstract:

  • Information technology (IT) organizations that issue high-assurance certificates such as smart card certificates must ensure their certificates’ security.
  • Microsoft’s Identity Lifecycle Manager (ILM) 2007 lets information technology (IT) administrators define workflows to increase certificates’ assurance levels.
  • Microsoft’s Identity Lifecycle Manager (ILM) 2007’s certificate management feature helps information technology (IT) organizations manage the life cycle of both software-based and smart card-based digital certificates to ensure the certificates’ security.

As a matter of their security policy, many organizations must issue high-assurance certificates, such as smart card certificates. The reasons for using smart card certificates vary. Perhaps a company wants to eliminate passwords on its network. Or, maybe a company wants to increase other organizations' trust levels by being able to certify that only the person listed in the certificate's subject has control of the certificate's private key.

Microsoft's Identity Lifecycle Manager (ILM) 2007 lets you define workflows for various management activities that occur during a certificate's lifetime, to increase certificates' assurance levels. These workflows ensure that your organization's written security policies are implemented, which in turn increases other organizations' trust in your certificates.

ILM 2007 comprises two previously existing products: Microsoft Identity Integration Server (MIIS) 2003 and the recently acquired Alacris idNexus (also known as Certificate Lifecycle Manager or CLM during its beta testing period). These products are rebranded in ILM 2007 as the metadirectory and synchronization facilities and the certificate management facilities.

In this article, I focus on ILM 2007's certificate management component. In addition, I provide an example of how you can use this feature to increase the assurance level of your certificates and ensure that predefined workflows are followed when medium-assurance certificates are issued.

Metadirectory and Synchronization
The primary function of ILM 2007's metadirectory and synchronization facilities is to provide provisioning and deprovisioning capabilities to the enterprise. The synchronization facilities allow convergence of identity information in all connected identity stores within an organization. ILM 2007 includes more than 30 types of management agents (MAs) out of the box for many of the leading directories, databases, email systems, mainframes, and line-of-business applications. A new MA, the Certificate Lifecycle Manger 2007 Management Agent, allows synchronization between the metadirectory and certificate management facilities. This MA lets you issue certificates and smart cards to new users as part of the provisioning process. In addition, when a user leaves the organization, the MA can ensure that important certificates are revoked as part of the deprovisioning process.

Certificate Management
ILM 2007 certificate management is a policy- and workflow-driven, identity-assurance management system that helps organizations manage the life cycle of both software-based and smart card-based digital certificates. ILM 2007 certificate management lets you define certificate management workflows that enforce an organization's policies and increase the assurance levels of the certificates issued through the workflows. For example, a business partner will likely feel more confident about the identity of one of your employees if a face-to-face meeting with the employee occurred during the certificate issuance process. ILM 2007 certificate management also streamlines the provisioning, configuration, and management of digital certificates and smart cards, while increasing security through strong, multifactor-authentication technology. ILM 2007 certificate management integrates fully with both Microsoft Certificate Services and Active Directory (AD), letting customers leverage their existing infrastructure during the deployment.

Components. ILM 2007 certificate management includes two mandatory components and two optional components. The two mandatory components are the certificate management server and the Certification Authority (CA) modules.

  • The ILM 2007 certificate management server is an ASP.NET application that requires both Microsoft Internet Information Server (IIS) 6.0 and the Microsoft .NET framework 2.0. The information that ILM 2007 certificate management server collects can be stored in either a SQL Server 2005 SP1 or SQL Server 2000 SP4 database. The ILM 2007 certificate management server includes two Web portals: a manager Web portal and a subscriber Web portal that are used during certificate management workflows.
  • The CA modules include both an exit module and a pluggable policy module. The exit module allows ILM 2007 certificate management to capture all certificates issued by a managed CA in the ILM 2007 certificate management database. The policy module lets an organization modify certificate requests during processing to allow better integration and management with ILM 2007 certificate management.

The two optional components of ILM 2007 certificate management are the ILM 2007 certificate management client software and the Bulk Enrollment Client.

  • The ILM 2007 certificate management client software is required only if you plan to issue and manage smart card-based certificates. The client software installs an ActiveX control that lets the ILM 2007 certificate management Web portal communicate with, write to, and manage smart cards.
  • The Bulk Enrollment Client enables the printing and management of numerous smart cards. The Bulk Enrollment Client requires installation of the ILM 2007 certificate management client software and DataCard's ID Works Enterprise Identification Software. The ID Works software lets an organization define the layout of a printed smart card and provides programmatic interfaces to the smart card printers.

Profile templates. In ILM 2007 certificate management, profile templates control the management of certificates. A profile template is a new AD object (created through a schema modification) that enables the definition of certificate management tasks. A profile template includes the following three related components:

  • One or more certificate templates, grouped together to allow enrollment, revocation, or renewal in one operation. For example, if you choose to deploy separate email signing and encryption certificates, both certificate templates would be included in one profile template.
  • Profile details that indicate whether a profile template is software-based or smart cardbased. (You can't combine software-based and smart card-based certificates in one profile template.) If you're configuring a smart card profile template, the profile details will include information about the smart card middleware used, user PIN generation, and reuse settings.
  • Management policies that define the workflows used to manage a certificate through its entire life cycle. For each management policy, a separate workflow is defined, including definitions of who performs management tasks during the workflow. For example, you can designate different people to initiate a smart card unblock request and to approve the unblock request. Table 1 shows the management policies available in ILM 2007 certificate management.

Workflow design. The biggest benefit of ILM 2007 certificate management is the ability to define workflows for certificate management. For example, you can define exactly what process is used to obtain Secure MIME (S/MIME) certificates or to unblock a smart card. The following three common models exist for certificate management.

  • In a Self-Service model, all processes within a workflow are initiated by the certificate subscriber defined in the profile template. For example, a user can initiate the request of an Encrypting File System (EFS) certificate. Self-service for certificate acquisition is typically considered a low-assurance model because no person other than the certificate requestor is involved in the issuance of the certificate. However, self-service is acceptable for several scenarios such as IPsec certificates or EFS encryption certificates.
  • In a Delegated model, a workflow is initiated by a certificate manager but is completed by the certificate subscriber. This workflow is considered medium assurance and is typically used for certificates that require strong validation of the subscriber's identity. For example, the certificate request for an EFS recovery agent or a Key Recovery Agent might use a delegated workflow. A certificate manager will initiate the request, with control being passed to the subscriber through the use of one-time secrets in an email message to complete the request.
  • In a Centralized model, the entire request is completed by the certificate manager. This workflow is typically used for high-assurance certificates. The certificate manager acts as an enrollment agent and places the subscriber's name information in the subject of the issued certificate.

Permissions. To define certificate management workflows, you must assign CLM extended permissions. The following seven extended permissions are assigned to users, groups, or the ILM 2007 certificate management Service Connection Point (SCP—which I define in the following section):

  • CLM Audit—Allows viewing the profile template setting, approving requests, and generating reports
  • CLM Enrollment Agent—Allows the holder to request a certificate on behalf of another user
  • CLM Request Enroll—Allows the initiation, execution, or completion of an enrollment request
  • CLM Request Recover—Allows the initiation of encryption key recovery operations from the CA database
  • CLM Request Renew—Allows the initiation, execution, or completion of a renewal request when an original user certificate is near its expiration date and needs to be replaced with a new certificate that has a new validity period
  • CLM Request Revoke—Allows termination of a certificate's validity before its expiration date (e.g., a certificate can be revoked because a user's laptop was stolen)
  • CLM Request Unblock Smart Card— Allows a smart card's user PIN to be reset, reestablishing access to the smart card's key material

In addition, profile template objects include the CLM Enroll permission. Users who request certificates included in a profile template must be assigned the CLM Enroll permission on the profile template. If a user requests a certificate on behalf of another user, both the requestor (enrollment agent) and the target user must be assigned CLM Enroll permissions.

Note that ILM 2007 certificate management permissions can be assigned only to users, global groups, or universal groups. Permission assignments made to domain local groups are ignored.

Permission assignment locations. In ILM 2007 certificate management, effectively managing permissions includes intertwining the following five permission assignment locations. Figure 1 illustrates these locations.

  1. Service Connection Point—If a user or group is assigned a CLM extended permission at the SCP, then the user gains access to the CLM management Web portal. A permission assignment at the SCP translates to a potential assignment of permissions. The permissions are effective only if a matching permission is assigned to a user or a group. Users require only Read permissions on the SCP to participate in CLM workflows.
  2. Profile Template Object—A user or group must be assigned the Read and CLM Enroll permission on the profile template object to allow enrollment of certificates based on the profile template. If the workflow includes a manager acting as an enrollment agent, both the manager and the target users must be assigned the CLM Enroll permission.
  3. Users/Groups—This permission assignment location goes hand-in-hand with the SCP. As I stated earlier, the SCP permission is a potential assignment. You could perform the assigned action on some user or group. A permission assignment on a user or group closes this loop. The user or group permission defines the target of the management action.
  4. Certificate Template(s)—If the workflow requires the submission of certificate requests to a CA, the submitter of the request must be assigned the Read and Enroll permissions on the included certificate templates.
  5. Within a Management Policy—The final permission assignment occurs within a management policy. The managers within a workflow must be assigned the right to initiate, approve, or act as an enrollment agent in a workflow. Alternatively, you can enable the self-service option to let a user initiate personal workflow requests.

Reporting. ILM 2007 certificate management includes excellent reporting facilities. In general, reports can be classified into the following three categories.

  • CLM Summary Reports—Provide summarized reports for all managed requests, certificate usage, certificate expiry, and smart card inventories. These reports are useful when reporting to management about the state of all certificates managed by ILM 2007.
  • CLM Detail Reports—Provide detailed reports for smart cards, smart card histories, requests, certificate template usage, and certificate revocation lists. Detail reports are appropriate when you are researching certificate usage for a specific person or smart card device.
  • CLM Settings Reports—Provide detailed setting information for certificate templates or profile templates. These reports can be used to document the finalized settings defined for each certificate template or profile template you deploy.

Implementing CLM Permissions: An Example
To illustrate the capabilities of ILM 2007's certificate management component, let's look at an example of how to implement CLM permissions. In this example, the Certificate Managers group uses a delegated enrollment model to issue code signing certificates to the Certificate Subscribers group. (Note: This example discusses only the Enroll workflow. For a typical deployment, workflows must be defined for each management policy in the profile template. For example, separate workflows can be defined for revoking certificates and recovering certificates.)

Defining profile details. To create a new profile template, you must duplicate an existing profile template. Because this profile template will issue a software-based certificate, you can use the following steps to duplicate the CLM Sample Profile Template that ships with ILM 2007.

  1. Start Microsoft Internet Explorer (IE).
  2. Navigate to http://clmserver/clm.
  3. Click the Microsoft Certificate Lifecycle Manager logo.
  4. On the Home page, in the Administration section, click Manage profile templates.
  5. On the Profile Template Management page, in the Profile Template List section, select the CLM Sample Profile Template check box, then click Copy a selected profile template.
  6. On the Duplicate Profile page, in the Profile Template Name section, in the New Profile Template Name box, type Code Signing Certificates, and click OK.
  7. In the Certificate Templates section, click Add new certificate template.
  8. In the Certificate Authorities section, select CAName.
  9. In the Certificate Templates section, select CodeSigning, and click Add.
  10. In the Certificate Templates section, select the User check box, then click Delete selected certificate templates.

After you complete these steps, the Profile Template will have the Profile Details settings that Figure 2 shows. (Note: If you were deploying smart cards, you would also need to configure the smart card Cryptographic Service Provider—CSP, the smart card details, and if required, smart card printing settings in the profile details.)

Defining the Enroll policy. The Enroll policy defines the workflow for the issuance of certificates. My example uses a delegated workflow, requiring the certificate managers to initiate the workflow for the code signing certificate issued to the certificate subscriber. To define the Enroll policy, complete the following steps. Figure 3 illustrates these steps.

  1. In the Select a view section, click Enroll Policy.
  2. In the Workflow: General section, click Change general settings.
  3. Disable the Use self serve option, and click OK.
  4. In the Workflow: Initiate Enroll Requests section, add the Domain\Certificate Managers group and remove the NT Authority\System group.
  5. In the Data Collection section, click Sample Data Item.
  6. Change the name of the data collection item to Photo Identification, change the Data Item Originator to Certificate Manager, and click OK.
  7. In the OneTime Passwords section, leave the default setting of a single one-time password.
  8. In the Passwords Distribution section, leave the Display on screen default option.

The one-time secret will then be displayed to the certificate manager and will be provided to the certificate subscriber after validation of the subscriber's photo identification.

Defining permissions. To allow processing of the workflow, permissions must be assigned at all five permission assignment locations. When you use the previous procedure to define the Enroll policy, only the Management Policy permissions are defined. The following additional permissions must be assigned.

  • Service Connection Point—Assign the Certificate Managers group CLM Enroll permissions to allow the group to initiate an enrollment process.
  • Certificate Subscribers Group—Assign the Certificate Managers group the CLM Enroll permission. This assignment defines that Certificate Managers can initiate enrollment only for the members of the CLM Subscribers group.
  • Code Signing Certificates Profile Template— Assign both the Certificate Managers and the Certificate Subscribers groups the Read and CLM Enroll permissions. In a delegated model, both the manager and subscribers must have CLM Enroll permissions.
  • Code Signing Certificate Template—Assign the Certificate Subscribers group the Read and Enroll permissions. You must assign the Read and Enroll permissions only to the group that submits the request to the CA. The Certificate Managers group merely initiates the request; the Certificate Subscribers group submits the request to the CA.

Performing the workflow. To start the enrollment workflow, you must log on to the ILM 2007 certificate management Web portal as a member of the Certificate Managers group. To initiate the workflow, complete the following steps.

  1. Start IE.
  2. Open http://clmserver/clm.
  3. Click the Microsoft Certificate Lifecycle Manager 2007 logo.
  4. On the Home page, in the Common Tasks section, click Enroll a user for a new set of certificates or a smart card.
  5. In the Search Criteria for Users section, in the Name box, type the username of the target subscriber, and click Search.
  6. If you have multiple profile templates in your environment, select the Code Signing Certificates profile template, and click Next.
  7. In the Data Collection section, type Driver's license, and click OK.
  8. On the Request Status page, provide the value of One-time password 1 to the certificate subscriber.

After you initiate the workflow, the certificate subscriber can complete the workflow by using the one-time secret provided by the certificate manager. The certificate subscriber must connect to the ILM 2007 certificate management Web portal to complete the enrollment process. To complete the workflow, log on as the target subscriber and complete the following steps.

  1. Start IE.
  2. Open http://clmserver/clm.
  3. Click the Microsoft Certificate Lifecycle Manager 2007 logo.
  4. On the Home page, in the Common Tasks section, click Complete a request with one-time passwords.
  5. In the Enter Passwords section, in the One-time password 1 box, type the one-time secret provided by the certificate manager, and click Next.
  6. Click Yes to accept that the Web portal is submitting a request to the CA.
  7. Click Yes to accept that the Web portal is installing certificates.
  8. On the Installing Certificates page, click Next.
  9. On the Request Summary page, ensure that the request status is completed.

Availability and Pricing
At press time, ILM 2007's scheduled release was May 1. License pricing is set at $15,000 per server and $25 per user for client access. These prices are a drastic reduction from the MIIS licensing model, in which licenses are $25,000 per processor. In addition, Microsoft is offering a 25 percent discount on user CALs as long as you order 250 or more user licenses and purchase Software Assurance.

You must purchase the CAL only if you decide to implement certificate management in your ILM 2007 deployment. If you use ILM 2007 strictly for metadirectory services, then no CALs are required in your deployment. But if you plan to issue and manage certificates with ILM 2007, you must obtain one CAL for each person that you manage (regardless of the number of user accounts the person holds in AD).

The Missing Link
By default, Microsoft's public key infrastructure (PKI) doesn't let you define and enforce management workflows or provide reports. ILM 2007's certificate management is PKI's missing link. Now you can easily define workflows for issuing high-assurance certificates. The CLM Web portal lets you manage certificates, and CLM MAs ensure that certificate revocation and issuance are part of your organization's provisioning and deprovisioning processes.