Introducing Microsoft Certificate Lifecycle Manager

Strong user authentication is one of the most fundamental identity management services: It's a key building block for securing access to resources and for the safe exchange of identity data between organizations.

User authentication solutions that bundle multiple authentication factors (e.g., knowledge of a PIN or password, biometric data such as a fingerprint, possession of some device) make up the bulk of today's strong authentication market offerings. Popular examples of strong authentication solutions are smart cards and USB tokens.

If you've tried to deploy smart cards or USB tokens in a Microsoft public key infrastructure (PKI) environment, you know that Windows lacks advanced smart card and USB token deployment, management, and maintenance features. Now Microsoft is tackling this space with Certificate Lifecycle Manager (CLM), which can also add value for certificate management in Windows PKI deployments that don't use smart cards or USB tokens.

CLM's most important characteristics are its ability to ease the deployment and administration of certificates, smart cards, and USB tokens, and its flexibility. Let's look first at how CLM eases administration and what makes it such an adaptable tool. Then I'll explain the CLM components and architecture.

Origin and Competition
CLM is Microsoft's rebranded and revamped version of idNexus, a product the company obtained through the acquisition of Alacris in 2005. At the time of writing, CLM Beta 1 was available for download and Microsoft was considering making CLM available as a Microsoft System Center software offering—Microsoft wasn't intending to include the CLM code in Windows Server distributions (unlike the Windows PKI services) or to bundle it with the company's main identity management solution, Microsoft Identity Integration Server (MIIS).

Deploying CLM is relatively straightforward: The CLM installation program comes with a wizard that automatically configures the main CLM components.

Examples of competing products that offer similar functionality are Intercede's MyID Corporate (http://www.intercede.co.uk), Athena Smartcard Solutions' AthenaCard Management System (CMS— http://www.athena-scs.com), the Aladdin Token Management System (TMS—http://www.aladdin.com), and the SafeNet Card Management System (CMS— http://www.safenet-inc.com).

Easy Administration
CLM offers a single point of administration for certificate, smart card, and USB token management. From the CLM Web-based management interface (shown in Figure 1), you can manage the lifecycle of the certificates and smart cards of users defined in your Active Directory (AD).

In Windows PKI environments that don't have CLM deployed, you must use multiple Microsoft Management Console (MMC) snap-ins and command-line tools to get the same administrative jobs done. For example, without CLM, to define certificate properties, you must use the MMC Certificate Templates snap-in, but to approve or deny user certificate requests, you would use the MMC Certification Authority snap-in or the certutil.exe command-line tool.

With CLM, you can enroll users for certificates or a smart card, approve or deny certificate requests, revoke certificates, unblock smart cards, define certificate properties, and generate reports related to the use of certificates and smart cards—all from a single interface.

The CLM management interface also provides a unified tool for interfacing with multiple Windows Certificate Authorities (CAs). You can use the CLM interface to send certificate issuance and revocation requests to different Windows CAs in your environment.

Another feature that PKI administrators will appreciate is CLM's powerful reporting capabilities, which let you easily generate detailed reports of the certificate and smart card use in your AD environment. Figure 2, shows a sample CLM report that gives a CLM request type breakdown for a selected time period.

Besides the management Web interface, CLM includes a Web interface that lets users manage their personal certificate and smart card details. From this interface, users can request certificates, permanent smart cards, and temporary smart cards; view their certificates and smart card details; and change their smart card's PIN.

Flexibility
CLM is a flexible certificate and smart card management tool for the enterprise. You can easily customize CLM's logic to fit your organization's certificate and smart card management needs, and you can do most of the customizations from the CLM management interface—no or very little custom coding is required. Organizations that want to hide certain features from the CLM interface or include corporate branding on the CLM Web pages might need to make some small adjustments in CLM's Web interface and associated logic.

A good example of CLM's flexibility is the ease with which you can adapt the CLM logic to support either a centralized or decentralized model for the issuance of smart cards and USB tokens. In the centralized model, an administrator provisions the smart card or token and sends it to the user, who unblocks it and then uses it. In the decentralized model, the administrator just sends the smart card to the user, who then provisions it.

CLM also contains a significant amount of logic that's disabled by default and that can automate parts of the certificate or smart card issuance process. For example, organizations can configure CLM to automatically distribute smart card unblock codes or user smart card enrollment instructions via email.

Finally, CLM has built-in and easily customizable workflow, administrative delegation, and self-service features. The following examples illustrate these features:

Architecture and Components
CLM is a multi-tiered Web application that leverages different Microsoft infrastructure services and servers. CLM must be installed on a Windows Server 2003 or later server platform. On the Web server side, CLM requires a Microsoft IIS 6.0 or later application server that has Microsoft .NET Framework 1.1 installed. On the Web client side, CLM is optimized to work with Microsoft Internet Explorer (IE) 6.0 or later.

On the back end, the CLM application communicates with a Windows 2000 Server or Windows 2003 AD and a SQL Server 2000 Service Pack 3a (SP3a) or later database server. CLM uses the database to store its configuration and history data.

As far as CA integration is concerned, CLM links to a Windows 2003 enterprise (i.e., AD-integrated) CA. During the CLM installation process, a CLM-specific policy module and exit module are installed and enabled on the Windows CA (as Figure 3 shows). The policy module allows the Windows CA to add CLM-specific X.509 attributes to the certificates it issues. The exit module allows the Windows CA to communicate with the CLM SQL Server database. These modules do their work behind the scenes; you really don't work with them directly with the exception of some configuration options that Figure 3 shows.

The CLM installation wizard extends the AD schema with a set of CLM-specific objects and attributes. CLM uses these AD objects to store the CLM certificate and smart card profile information. CLM profiles contain the management policies that are linked to a given certificate or smart card type. These policies include the enrollment, recovery, renewal, revocation, disabling, unblocking (for smart cards only), and duplication (for smart cards only) policies. You define CLM profiles, their properties, and their related management policies in the Edit Profile Template interface (shown in Figure 4), which you access through the AdministrationManage profile templates option in the CLM management interface.

CLM also leverages AD to store CLM user and administrator data and to define CLM administrative delegation. For the latter purpose, the CLM installation wizard extends the AD authorization model by adding the following CLM-specific permissions to AD: CLMS Audit, CLMS Request Enroll, CLMS Enrollment Agent, CLMS Request Recover, CLMS Request Renew, CLMS Request Revoke, CLMS Request Unblock Smart Card, and CLMS Enroll.

You can use these CLM-specific permissions to define how users and groups can interact with the CLM system. For example, you can specify that a particular user can initiate a certificate request to the CLM system or that a particular administrator can request the CLM system to revoke a certificate.

The CLM-specific permissions can be set on AD user, group, and CLM profile objects by using the classic AD management tools. Figure 5 shows how you can give an AD user CLM-specific permissions from the MMC Active Directory Users and Computers snap-in. To give a user permission to enroll for a particular CLM certificate or smart card type, you must set permissions on the corresponding CLM profile object. You can do this from the ServicesPublic Key ServicesProfile Templates node in the MMC Active Directory Sites and Services snap-in, as Figure 6 shows.

CLM can interface with the smart cards, smart card readers, and USB tokens from various vendors. To let CLM and Windows interoperate with a particular smart card, the vendor must make available a Windows CryptoAPI-compliant Cryptographic Service Provider (CSP) software module. This CSP must also be deployed on all Windows machines (both clients and servers) on which smart cards, USB tokens, and CLM will be used. You can find a list of preferred Microsoft CLM smart card vendors at http://www.microsoft.com/windowsserversystem/clm/partners.mspx.

As previously mentioned, CLM-integrated management of smart cards or USB tokens in an AD environment also requires the installation of CLM client software, which comes with the CLM server distribution package. Included in the CLM client is a tool that lets users reset their smart card or USB token PIN without administrator intervention.

Focus on Identity
CLM is another proof of how Microsoft is gradually becoming an important identity management solution player. Over the last few years, the company has been ramping up in the identity space by extending the reach of the identity management services that are bundled with its OS platforms. Microsoft now offers identity management solutions that can cover non-Microsoft platforms and applications: Good examples are the Microsoft provisioning solution (the aforementioned MIIS), UNIX integration services (Services for UNIX—SFU—and Windows 2003 R2), and last but not least, Microsoft's PKI solution (bundled with Win2K and Windows 2003) and CLM. You can find more information about CLM at http://www.microsoft.com/windowsserversystem/clm/default.mspx.