locked
CLM: Saving moore than one certificate to one smart card

    Question

  • Hi

     

    We have CLM in production for distribution of smartcards to our users. It works fine although we dont use the selfservice options, we have a central certificate management in place!

     

    However, when it comes to our administrators, some of them have multiple identities, for example!

    • one user account
    • one klient admin account
    • one server admin account
    • one domain admin account!

     

    I dont want to have them handle 4 diffrent smartcard, instead i want to save all certificates to one smartcard so that they shoose witch certificate/identity to use when needed! It works if I first assign them the usercertificate and smartcard via CLM and after that I can save the admin certificate/identitys to the same smart card via the CA webbinterface.

     

    I wounder if it can be done from the CLM interface instead??

     

    Regards

     

    Ulf Grahn

    Sveriges riksbank

    Stockholm

    Sweden 

    Friday, September 26, 2008 11:36 AM

Answers

  • This is a bit of a problem with CLM currently. When I delivered the CLM course in Germany I figured out kind of a kludgy way to do this:

     

    1. Pick one or more unused attributes in AD and populate them with the required SAN value.

    2. Create a normal smart card profile template and then an additional one for each additional certificate.

    3. Use the custom SAN policy module for each of the additional templates and pick up the required SAN value from the AD attribute.

     

    Kind of kludgy but it does work, and if you're using MIIS you could automate the population of the required attributes.

     

     

    Friday, September 26, 2008 2:50 PM
  • Just to add to Paul's answer.

    In CLM today:

    1) You can only link a smart card profile to a single identity.

    2) You can only link a single profile template to a smart card

    So when you are implementing Paul's suggestion, you would be adding one or more certificate templates to the profile template object. We would recommend tying the profile template to the user's day-to-day account.

    Brian

    Saturday, September 27, 2008 8:55 PM
  •  Spruce Stockholm wrote:

    Hi Paul!

     

    Thanks for your answer, but I do need some moore advise in this matter.

     

    1. Are you meening that I should populate som unused attributes on the AD object of the "day to day", as Brian said, with the usernames of the administrator accounts of that user?

     

    2. How can I use the smartcard policy templates, if there is moore than one? As Brian states in his addendum to your answer, " 2) You can only link a single profile template to a smart card"?

     

    3. Have I understand this correctly if I get a certificate with the subject name of my "day to day" user with SAN values attatched of the users admin account?


     



    Hi Ulf,
    Sorry for the confusion, I was really tired when I posted my response and it wasn't very clear.

    1. Yes, that's what I mean, and if there is some relationship between the account names it makes it easier.

    2. Yeah, I misspoke. You need one profile template with multiple certificate templates. For each of the certificates where you're getting the SAN from an AD attribute, then you would use the SAN custom policy module to construct the SAN.

    3. I don't know if multiple SANs in the same certificate will work. I've only done this with a single SAN.
    Monday, September 29, 2008 10:06 AM

All replies

  • This is a bit of a problem with CLM currently. When I delivered the CLM course in Germany I figured out kind of a kludgy way to do this:

     

    1. Pick one or more unused attributes in AD and populate them with the required SAN value.

    2. Create a normal smart card profile template and then an additional one for each additional certificate.

    3. Use the custom SAN policy module for each of the additional templates and pick up the required SAN value from the AD attribute.

     

    Kind of kludgy but it does work, and if you're using MIIS you could automate the population of the required attributes.

     

     

    Friday, September 26, 2008 2:50 PM
  • Just to add to Paul's answer.

    In CLM today:

    1) You can only link a smart card profile to a single identity.

    2) You can only link a single profile template to a smart card

    So when you are implementing Paul's suggestion, you would be adding one or more certificate templates to the profile template object. We would recommend tying the profile template to the user's day-to-day account.

    Brian

    Saturday, September 27, 2008 8:55 PM
  • Hi Paul!

     

    Thanks for your answer, but I do need some moore advise in this matter.

     

    1. Are you meening that I should populate som unused attributes on the AD object of the "day to day", as Brian said, with the usernames of the administrator accounts of that user?

     

    2. How can I use the smartcard policy templates, if there is moore than one? As Brian states in his addendum to your answer, " 2) You can only link a single profile template to a smart card"?

     

    3. Have I understand this correctly if I get a certificate with the subject name of my "day to day" user with SAN values attatched of the users admin account?

     

    Regards

     

    Ulf Grahn

    Sveriges riksbank

    Stockholm

    Sweden 

     

     

     

    Monday, September 29, 2008 7:18 AM
  •  Spruce Stockholm wrote:

    Hi Paul!

     

    Thanks for your answer, but I do need some moore advise in this matter.

     

    1. Are you meening that I should populate som unused attributes on the AD object of the "day to day", as Brian said, with the usernames of the administrator accounts of that user?

     

    2. How can I use the smartcard policy templates, if there is moore than one? As Brian states in his addendum to your answer, " 2) You can only link a single profile template to a smart card"?

     

    3. Have I understand this correctly if I get a certificate with the subject name of my "day to day" user with SAN values attatched of the users admin account?


     



    Hi Ulf,
    Sorry for the confusion, I was really tired when I posted my response and it wasn't very clear.

    1. Yes, that's what I mean, and if there is some relationship between the account names it makes it easier.

    2. Yeah, I misspoke. You need one profile template with multiple certificate templates. For each of the certificates where you're getting the SAN from an AD attribute, then you would use the SAN custom policy module to construct the SAN.

    3. I don't know if multiple SANs in the same certificate will work. I've only done this with a single SAN.
    Monday, September 29, 2008 10:06 AM
  • Hi again!

     

    Now I started to play about with the SAN policy module, and the questionmarks realy start to gather abow my head!

     

    I dont realy get how I'm suposed to map the SAN, (email, dns or other???), to the User object in AD? And then how am I suposed to get all this to actualy put 2-4 diffrent certificates on the smartcard, one for my everyday user and 2-4 for my admin accounts!

     

    Regarding the user object I planing on using extended atribute 2-4, but wath shall I put in there? The mail adress of the adminaccounts or the SAM accountname?

     

    I looked for some detaild documentation on how to configure the SAN module in CLM but I struck a blank on that! 

     

    So still confused!

     

    1: how do I configure the san module to map to a user atribute in AD?

    2: How do I map this in to the CLM policy?

     

    Regards

     

    Ulf Grahn

    Sveriges riksbank

    Stockholm

    Sweden 

     

     

     

    Tuesday, September 30, 2008 11:37 AM
  • Let's take the simple case. You want a smart card for two user accounts:

    user@example.com  (normal account)

    a-user@example.com  (Administrator account)

     

    For the second certificate (the one for the administrator account), you would define the SAN module to create a custom UPN (The UPN allows you to map to the AD account implicitly (kind of explicitly). The SAN in this certificate will match the UPN of the administrator account.

     

    You could use this definition in the SAN module:

    a-{User!sAMAccountname}@example.com

     

    If the account's UPN was very different, for example bob@fabrikam.com

    Then, you may consider putting this value into an attribute in AD.

    I am just paraphrasing here, as I am on the way out the door, but you could put the value bob@fabrikam.com into
    ms-exch-attribute-12

     

    In this case, you could define in the SAN module

    {User!ms-exch-attribute-12}

     

    The value would be going into the attribute for user@example.com (the primary user account)

    HTH

    Brian

     

    Tuesday, September 30, 2008 11:53 AM
  •  Spruce Stockholm wrote:

    Hi again!

     

    Now I started to play about with the SAN policy module, and the questionmarks realy start to gather abow my head!

     

    I dont realy get how I'm suposed to map the SAN, (email, dns or other???), to the User object in AD? And then how am I suposed to get all this to actualy put 2-4 diffrent certificates on the smartcard, one for my everyday user and 2-4 for my admin accounts!

     

    Regarding the user object I planing on using extended atribute 2-4, but wath shall I put in there? The mail adress of the adminaccounts or the SAM accountname?

     

    I looked for some detaild documentation on how to configure the SAN module in CLM but I struck a blank on that! 

     

    So still confused!

     

    1: how do I configure the san module to map to a user atribute in AD?

    2: How do I map this in to the CLM policy?



    Hi Ulf,

    Brian's response was as confusing as my first response was so I'll answer again. :-)

    Here's what you'll need to do:

    1. For the certificate that matches the account name being used to request the certificates you don't need to do anything special.
    2. For each additional certificate you need to:
    a. Add the UPN of the required account to an unused attribute of the account used in step 1. Note that each of these attributes needs to be different. For example if you need 3 additional certificates then you need to use 3 unique attributes.
    b. Create a certificate template for each additional certificate required. Add each new certificate template to the profile template.
    c. Configure a custom SAN policy module for each additional certificate required, associate them with the profile template. Each custom SAN policy module also needs to be configured for one of the extra certificate templates.
    d. Each custom SAN policy module needs to be configured to create the correct SAN in the certificate. So let's say you were using 3 custom SAN policy modules and 3 custom attributes named Custom-1 through Custom-3. You'd need to configure each SAN policy module as follows:

    SAN value - {User!Custom-1}@domain.com
    SAN value - {User!Custom-2}@domain.com
    SAN value - {User!Custom-3}@domain.com

    Now, when a card is requested against the profile template the following will happen:

    1. A normal certificate will be issued using the subscriber's normal UPN in the SAN.
    2. 3 additional certificates will be issued with the SAN value being built from the contents of the Custom-1 through Custom-3 attributes in AD.

    Hope this makes more sense.

    Paul
    Tuesday, September 30, 2008 12:55 PM
  • Hi again

     

    Realy thanks for the response!

     

    I have not been able to test this yet but I have some additional questions!

     

    If we take me and my colleuge as an example

     

    I have 3 diffrent accounts

     

    He have 2

     

    Mine

     

    uffegra@riksbank.se

    ugadmin@riksbank.se

    ugadmin2@riksbank.se

     

    His

     

    ***@riksbank.se

    dickadmin@riksbank.se

     

     

    I set up the profile with one standard smartcard logon template including S-MIME for the day to day account

     

    1. Set up one smartcard logon template admin account connected to

    SAN value - {User!Extendedatribute2} value in Extatrib2 for me is [ugadmin@riksbank.se] assigned to CLM profile template for day to day user

     

    2 repeats this for the second adminaccount!

     

    Leaves me with 1 CLM policy template with 3 Certificate template assosiated with it!

     

    I assign a smartcard to my self with this policy template

    result is 1 smartcard with 3 certificates on it! Yes?

     

    I then assign one for ***!

     

    He have only one of the extended atributes on his user account populated as he only have 2 accounts.

     

    wath will now happen? Will I get a smartcard with 2 or 3 certificates on it? One with SAN {null}?? Or will CLM discard the template when it have no value on the atribute on the user object?

     

    Might be a strange question but as I have S-MIME and file encryption och the ordinary user certificate, I can get in a lot of trubble if I have to switch policy template used for a user if he gets a new adminaccount, that is a new role in the organisation, or looses a role with the same result!

     

    Regards

     

    Uffe

     

    Thursday, October 02, 2008 1:31 PM
  • In your environment, I would probably recommend either:

    - Separate smart cards for each account

    - One profile template with two certificates include (one for brian@risbank.se and one for brianadmin@risbank.se) and another profile template (separate smart card) for the few people who need one for a 2nd administrator account.

     

    You can do things like skipping a SAN if the attribute is not filled in, but you do not want to issue a smart card certificate if the UPN is blank. Would potentially cause real issues there.

     

    Brian

     

    Friday, October 03, 2008 2:13 AM