Management of PKI, certificates and smartcards with ...
Transcript of Management of PKI, certificates and smartcards with ...
Management of PKI, certificates and smartcards with Forefront Identity Manager 2010 (FIM CM)
• Fredrik “DXter” Jonsson, Steria – Blog: http://poweradmin.se
• Hasain Alshakarti, TrueSec – Blog: http://secadmins.com
• Göran Melvås, Cortego/Techta – Blog: N/A
1
Benefits of FIM CM • Centralized Enrollment Agent (EA) and Key Recovery Agent (KRA)
• Improved overall process workflow
– New Card Enroll
– Lost Card Replace
– Card Retire
– Certificate Renewal
• Detailed auditing and reporting
• Support for extended self-service scenarios
• PIN unblocks with user’s credentials
• Integration with Active Directory and PKI
• Does not perform an “RFC-Based” renewal – Allows renewals after certificate expiration
2
Smart Cards, Readers, and Middleware Smart Cards • Custom built hybrid cards • Photo ID • Indala RFID Cards for Building Access • Gemalto smart card chip
– 128K .NET v2 cards (current standard) – Legacy cards (all Base CSP cards)
Middleware
• Microsoft Base Smart Card Crypto Provider • Mini-drivers specific to actual cards used Smart Card Readers • Built-in readers in our laptops • If no built-in readers:
– Omnikey – Gemalto
3
FIM 2010 CM Limitations
• FIM 2010 CM does not support multiple forests!
• Restrictions are only effective within Profile Templates, they are not FIM CM wide!
• FIM CM has no support for V3/2008/CNG Certificate Templates, including algorithms such as SHA256, (ECC) Elliptic Curve Cryptography, etc…
• No “auto enrollment” support of computer certificates (supply request only).
• No native support for third party operating systems or browsers.
• Limited card and CSP support (BaseCSP and mini driver based cards preferred!)