1

I recently attempted to renew the certificate for the clmAgent user account according to these directions:

http://technet.microsoft.com/en-us/library/hh149034%28v=ws.10%29.aspx

I logged in with the clmAgent account, went to Certificates MMC, right-clicked the clmAgent certificate in the Current User -> Personal store, and chose "Renew Certificate with New Key..."

The certificate update was successful. I then updated the web.config with the new certificate Thumbprint/Hash. I also added the new thumbprint to the Signing Certificates Tab under Policy Module on the CA. I then did an iisreset and restarted the FIM CM Update service.

Now FIM is able to issue new smartcards, but is unable to retire existing ones. When I attempt a retire operation, I am given the error "Data at the root level is invalid. Line 1. Position 1." CNG Key isolation service is running. Certificate template versions are 2003 and were not changed. Furthermore it renders the smartcard seemingly unusable because it wipes the data off the card, but FIM insists that the card is still in use so I cannot re-enroll it.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199

1 Answers1

1

Answering my own question.

Since I renewed the agent certificate with a new private key, that means that I had to put the hash of the new certificate in the web.config file as the Clm.Encryption.Certificate.Hash for new smartcards going forward, but I had to leave the Clm.Decryption.Certificate.Hash as the thumbprint of the previous (and now archived) certificate, so that smart cards deployed with the old certificate can be decrypted and thus retired.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199