none
FIM 2010 R2 CM - Writing more than one smartcard logon certificate to one smartcard RRS feed

  • Question

  • Hello!

    When a smartcard is issued, and the certificate is written to it, and I try to write another certificate using FIM CM, to that card, I get an error that says that the card is being used and cannot be reused (therefore needs to be retired or formatted).

    I'm looking for a solution for writing multiple user certificated to the same card, using FIM CM, and would like to know if it is at all possible. 

    PS-

    Each certificate mentioned here, will be issued from a FIM CM server, located in a different domain. Meaning: the first certificate will be written using FIM CM in DomainA, the second one will be from another FIM CM, installed in DomainB, etc...

    Thanks !

    Marom.


    --Marom

    Thursday, August 29, 2013 8:44 AM

Answers

  • Hello!

    When a smartcard is issued, and the certificate is written to it, and I try to write another certificate using FIM CM, to that card, I get an error that says that the card is being used and cannot be reused (therefore needs to be retired or formatted).

    I'm looking for a solution for writing multiple user certificated to the same card, using FIM CM, and would like to know if it is at all possible. 

    PS-

    Each certificate mentioned here, will be issued from a FIM CM server, located in a different domain. Meaning: the first certificate will be written using FIM CM in DomainA, the second one will be from another FIM CM, installed in DomainB, etc...

    Thanks !

    Marom.


    --Marom

    This is not possible. A single smart card can only be managed by a single instance of FIM CM.

    • Marked as answer by MaromG Tuesday, September 10, 2013 1:18 PM
    Tuesday, September 10, 2013 1:15 PM

All replies

  • Hi Marom,

    i had hope someone else would answer that. :-)

    I think that will not work because both FIM CM will try to manage the card, e.g. setting the Admin key, but only the first FIM CM would know the diversified admin key and the second FIM CM would try to access the card with the default admin key and will fail (and will set the failure counter plus 1 at least). By default if the counter is 5 the card is blocked for ever on the admin side.

    I think you will also see authentication errors (e.g. RPC server not available ) if you try to do cross domain rollouts, but that also depends how you define your card issuing process, renewing process etc.

    Btw: What is the background of your question? What do you plan to achieve? 

    Regards,

    Lutz

    Friday, September 6, 2013 4:22 AM
  • Hello!

    When a smartcard is issued, and the certificate is written to it, and I try to write another certificate using FIM CM, to that card, I get an error that says that the card is being used and cannot be reused (therefore needs to be retired or formatted).

    I'm looking for a solution for writing multiple user certificated to the same card, using FIM CM, and would like to know if it is at all possible. 

    PS-

    Each certificate mentioned here, will be issued from a FIM CM server, located in a different domain. Meaning: the first certificate will be written using FIM CM in DomainA, the second one will be from another FIM CM, installed in DomainB, etc...

    Thanks !

    Marom.


    --Marom

    This is not possible. A single smart card can only be managed by a single instance of FIM CM.

    • Marked as answer by MaromG Tuesday, September 10, 2013 1:18 PM
    Tuesday, September 10, 2013 1:15 PM
  • Thanks, Paul!

    Do you know if there is a way of writing to certificates from the same FIM CM to a single smart card?


    --Marom

    Tuesday, September 10, 2013 1:41 PM
  • Thanks, Paul!

    Do you know if there is a way of writing to certificates from the same FIM CM to a single smart card?


    --Marom

    Yes, this is definitely possible but I'd need to know more about the type of certificates you need to write to the smart card and more about your AD configuration in order to fully answer your question.

    Tuesday, September 10, 2013 1:43 PM
  • Right now, it seems as though we might try another approach, but if we reach a point, in which we'll want to try the 2-certs-one-card thing, I will repost here, and attach all of the relevant information.

    Thanks a lot! :)


    --Marom

    Tuesday, September 10, 2013 1:46 PM