A customer wants to automatically revoke all certificates issued to a specific user when he/she quits. Seems like a logical thing to do.
The process of terminating a user is an existing FIM workflow. They have FIM CM for certain types of certificates.
My guess is that the termination workflow in FIM needs to include a request by/to the FIM CM Management Agent to ask the FIM CM to revoke all certificates issued to the AD user account that is beeing terminated.
Is this hard to accomplish? Can someone give me some basic steps on how this is accomplished? Unfortunately I'm not very familiar about how FIM and MAs works. Yet.
Another question: Can the FIM CM MA only revoke certificates that were issued via the FIM CM Portal? Or can it also revoke certificates that FIM CM is not aware of (such as autoenrolled) or do I need to use the Support for non-FIM CM certificate requests policy module on the CA for this to work?
Tom Aafloen, IT-security Consultant Onevinn AB
Using FIM SyncEngine's classical (de)provisioning methods you can create a FIM CM Retire request in the FIM CM Portal within the deprovisioning cycle (for sample code look
However, you cannot execute the request automatically with the FIM CM Management Agent. Additionally I can remember some other strange behavior in the past (see this
To completely automate the auto-revoke process you should use instead FIM CM's Provisioning API. One - of many other ways - could be
- When a AD user is deleted write this event to an operational text file
- Have a service in place that frequently parses the text file
- Use FIM CMs Provisioning API createRequest and Retire methods (be aware this method only works with smartcard certificates) to revoke the certificates.