none
FIM 2010 R2 Sp1 and Certificate Management RRS feed

  • Question

  • Hello.  I’ve been reading up on FIM as we’ve had this on our plate for implementation for a bit and it’s time to get it in production and off the list.  The main reason for using FIM is for the Certificate Management piece as we are currently supporting many certificates on a daily basis.  In researching the latest information, I am finding very little in regards to just the Certificate piece.  We currently use scripts to check and e-mail when certs are going to expire, but want this to be managed a bit better.  A hesitation is what I’ve seen about only 1 e-mail delivery when and item runs through the workflow, so that won’t work.  Other thoughts?  How many of you actually use FIM to manage certificates?  If you have used FIM but moved to another product, why?  Thanks for your feedback, it will help in designing this app to work properly to address our needs.  Thanks.

    Monday, November 25, 2013 6:11 PM

All replies

  • Do you want to manage certificates or certs and smart cards?  And what are the tasks you want to automate using FIM for certificates? Depends on your need you can either use CM or think about using only FIM with its synchronization and service engine. 

    I will just give you two examples where we have not used CM for cert related tasks, as we were having no smart cards in the picture and deploying CM where FIM alone was enough was like a bit too much:

    1) Customer was interested only in implementation of workflows related to certificate expiration. Main tasks to accomplish were:

    - get information on cert expiration and do some workflows around it 

    - Suspend certificates in first de-provisioning stage and if user was re-activated un-revoke it 

    - revoke certs when user is de-provisioned in final stage. 

    This was done only with some integration from Synchronization engine to actually implement communication with CA and FIM Service were all workflows were put. 

    2) Customer has external users who need to access customer external facing portal and to do this they need to have a cert. Also some internal users needs certs on request. We have implemented this using FIM service and workflows, where FIM requests cert for the user as part of the workflow and delivers it in PFX to external user (password goes over second communication channel - SMS ). 

    When certs are close to expiration date FIM is renewing certs and is issuing new one to user before previous one will get expired. 

    On user off-boarding it is revoking certs for given users. 

    This was also done using FIM service and workflows capabilities. Simple case study is here: http://www.predica.pl/EN/Cases/Pages/Certificate-lifecycle-management.aspx

    On the other hand if you have smart card scenarios CM is a way to go probably - just make PoC to check if your smart cards will be supported and you can get them to work. Documentation is on Technet, rest is to get some details of implementation in given environment and given hardware. 


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Monday, November 25, 2013 8:50 PM
  • Hello.  Thank you for your reply Tomasz.  At this point, Smart Cards are not a concern, but scenario #2 is a close match as we use Certs internally for things as well as have external customers that need certs to access specific resources.

    I will take a look further into the workflows you noted.  Thanks.

    Monday, November 25, 2013 9:11 PM
  • Though Tomasz responded and that is appreciated, looking for any other feedback or suggestions as we architect our layout for this solution with focus on Certificate Management.  Thanks.
    Monday, November 25, 2013 10:23 PM