Optional: Configuring Additional CA Settings and Modules
Applies To: Forefront Identity Manager Certificate Management
You may want to configure additional policy modules for FIM CM to control certificate subjects and to support certificate requests that are generated outside of FIM CM.
Configure additional policy modules
To configure additional policy modules
Log on to the FIM CM server with a user account that is assigned the Manage CA permission for the local CA.
In Server Manager expand Active Directory Certificate Services and then right-click the certification authority you want to configure, and then click Properties
In <CAName> Properties, on the Policy Module tab, click Properties to install and configure a custom module.
In Configuration Properties, on the Custom Modules tab, click Add.
In the Open dialog box, locate the Microsoft.CLM.PolicyModulePlugins.dll file, and then click Open. The default location for the file is <ProgramFiles>\Microsoft Forefront Identity Manager\2010\Certificate Management\CA\
In FIM CM Policy Module, select a policy module. The following table shows the available policy modules.
CM policy modules
Policy module Description Certificate SMimeCapabilities Module 1.0
Limits the available encryption algorithms that you can use when you use a certificate for Secure/Multipurpose Internet Mail Extensions (S/MIME). This module is also called the S/MIME Capabilities policy module.
Certificate Subject Module 1.0
Inserts a custom subject into a certificate. This module is also called the Subject policy module.
SubjectAltName Module 1.1
Inserts a custom field into a certificate's SubjectAltName value. This module is also called the Subject Alternative Name policy module.
Support for non-FIM CM certificate requests
Registers FIM CM certificates that are issued outside of FIM CM. Examples include auto-enrollment and Microsoft Management Console (MMC). This module is also called the Non-FIM CM Request policy module.
In Custom Module Name, provide a unique name for the policy module, and then click OK.
To modify the policy module's properties, in Configuration Properties, select the policy module, and then click Properties.
The following sections describe the configuration of the available policy modules.
Configure the S/MIME Capabilities policy module
Configure the Subject policy module
Configure the Subject Alternative Name policy module
Configure the non-FIM CM Request policy module
Configure the S/MIME Capabilities policy module
You can use the S/MIME Capabilities policy module to limit the available encryption algorithms that you can use when you use a certificate for S/MIME. Your organization can exclude available algorithms that you might consider weak or unsuitable for use.
To configure the S/MIME Capabilities policy module
In the Custom Module Properties dialog box, in Filter, select the certificate template that you want to use for S/MIME.
In Provider, click Configure.
In the S/MIME Capabilities dialog box, provide the object identifier (also known as the OID) of the SMIMECapabilities extension list algorithms that an S/MIME user supports.
Each algorithm has a number that uniquely identifies it. This number, called the object identifier, contains several numbers that are dot-delimited. The following table shows the algorithms and their corresponding object identifiers.
FIM CM algorithms and object identifiers
| Algorithm | Object identifier |
|---|---|
RC2-CBC |
1.2.840.113549.3.2 |
RC4 |
1.2.840.113549.3.4 |
DES-CBC |
1.3.14.3.2.7 |
DES-EDE3-CBC |
1.2.840.113549.3.7 |
Some algorithms have parameters that can be passed to them. Parameters can be any ASN1 object. For example, RC2 can have the key length passed to it.
The following table shows example settings.
Sample FIM CM algorithm settings
| Algorithm | Setting | Description |
|---|---|---|
3DES |
1.2.840.113549.3.7[] |
Specifies 3DES in the SMimeCapabilities extension. The object identifier is 3DES. The empty square brackets indicate that no parameters are included. |
RC2 with a key length of 128 |
1.2.840.113549.3.2[0x02020080] |
Specifies RC2 with a key length of 128. The object identifier is RC2. The parameter is a sequence of bytes in hexadecimal, where:
|
Multiple algorithms |
1.2.840.113549.3.2[0x02020080]; 1.2.840.113549.3.4[0x02020080]; 1.3.14.3.2.7[]; 1.2.840.113549.3.7[] |
Use semicolons to separate multiple algorithms.
|
Restart the Active Directory Certificate Services (AD CS) service (certsvc) in order to implement these changes.
Configure the Subject policy module
You can use the Subject policy module to insert a custom subject into a certificate.
To configure the Subject policy module
In the Custom Module Properties dialog box, in Filter, select the certificate template to configure.
In Provider, click Configure.
In the Certificate Subject Name dialog box, type the information that you want to include in the certificate subject. For example,
cn={User!GivenName} {User!SurName}, cn={Clm!CostCenter},o=Contoso,c=US. The certificate of a user account with GivenName of Britta, SurName of Simon, and CostCenter of 17195 displays a subject name of:cn=Britta Simon
cn=17195
o=Contoso
c=US
See the following table for further description of the supported attributes.
You must use specific tags to dynamically build a certificate subject from the Active Directory Domain Services (AD DS) user attributes and from the FIM CM registration data. The following table shows these tags.
Subject policy module certificate subject tags
| Tag | Description |
|---|---|
|
Displays the name of a user in AD DS by using an Active Directory attribute, such as |
|
Displays the name of a FIM CM data collection item from the profile template. For example, if you are collecting DepartmentID, and CostCenter in the profile template, and want that displayed, use |
Additional object identifiers |
FIM CM will honor all of the properties set forth in the following: Name Properties. |
Note
- For more information on determining the Active Directory attributes available for a User object, see User Class (https://go.microsoft.com/fwlink/?LinkId=206280) and ADSI Edit (adsiedit.msc) (https://go.microsoft.com/fwlink/?LinkId=206262).
- For more information on Managing Subject Relative Distinguished Names in the Certificate Subject (https://go.microsoft.com/fwlink/?LinkId=206190) and Name Properties (https://go.microsoft.com/fwlink/?LinkID=206279).
Restart the (AD CS) service (certsvc) in order to implement these changes.
Configure the Subject Alternative Name policy module
You can use the Subject Alternative Name policy module to populate custom subject alternative names for certificates.
To configure the Subject Alternative Name policy module
In the Custom Module Properties dialog box, in Provider, click Configure.
In the Certificate SubjectAltName Configuration dialog box, click Add.
In the SubjectAltName Add Entry dialog box, in Type, select a type.
The following table shows the types that you can select.
Possible SubjectAltName types
SubjectAltName types Description RFC822Mailbox
Formats the value as an e-mail address.
DNSName
Formats the value as a DNS name.
OtherName
Enables you to specify the subject alternative name by an object identifier (OID).
In Value, select a format, type information in the Value Template box, and then click OK.
In the Certificate SubjectAltName Configuration dialog box, click OK.
In the Custom Module Properties dialog box, in Filter, select a certificate template to apply the policy module to, and then click OK.
Note
The SubjectAltName Add Entry dialog box has two sections. One section specifies the type of subject alternative name, and the other section identifies the value that appears in the certificate.
The following table shows the formats for the subject alternative name that FIM CM supports.
Important
You must provide the object identifier because it must be included in the certificate.
You must specify a value for each SubjectAltName type. The following table contains the value formats.
SubjectAltName type value formats
| Format | Description |
|---|---|
UTF8String |
Typically, this format stores any data that contains Unicode characters, for example, an e-mail address or a URL. |
IA5String |
Typically, this format is any alphanumeric string. This includes any ASCII characters. |
You must enter information in the Value Template box to associate the data to the value of SubjectAltName in the certificate for the user. You can obtain these values from AD DS or from the FIM CM database.
Use the following format for the information in the Value Template box: {User!ActiveDirectoryAttribute}. ActiveDirectoryAttribute is the attribute value in AD DS. The following table contains sample values.
Sample values
| Tag | Description |
|---|---|
|
Returns the value for the mail attribute of the user for whom the certificate is being issued. |
|
Returns the data collection item in the FIM CM data. For example, |
Restart the (AD CS) service (certsvc) in order to implement these changes.
Configure the non-FIM CM Request policy module
You can use the FIM CM Portal to manage certificates when you use FIM CM to register certificates that are issued outside FIM CM.
To configure the non-FIM CM Request policy module
In the Custom Module Properties dialog box, in Provider, click Configure.
In the AutoEnroll Plugin Configuration dialog box, in Database Information, type the connection string for the FIM CM database.
In Profile Template, select the profile template to be assigned to non-FIM CM requests from the list.
In Active Certificates, specify the maximum number of certificates, and then click OK.
In the Custom Module Properties dialog box, in Filter, select a certificate template to apply the policy module to, and then click OK.
Restart the (AD CS) service (certsvc) in order to implement these changes.
Previous topic
Next topic
Deploying multiple CAs for FIM CM