Forefront Identity Manager 2010 R2 (CM)

Forefront Identity Manager Certificate Management (FIM CM) is a certificate and smart card life cycle management system allowing significant reducing expenditures for maintaining Public Key Infrastructure (PKI) of the organization. This effect is achieved due to using such means as following:

  • Policy-based management.
  • Custom (grained) distribution of permissions to perform operations.
  • Automating certificate and smart card life cycle management.
  • Delegating rights for performing some operations to end users.
  • Using workflow of action approvals
  • E-mail notifications of workflow participants.
  • Accounting all actions being performed.


FIM CM is made as web-portal containing user and administrator parts. Portal interface is defined by permissions of specific user.

All information about actions with certificates and smart cards is stored in Microsoft SQL database.

FIM CM is deeply integrated with Active Directory to authenticate users and store configuration information.

To notify users FIM CM connects to SMTP server.

To request certificate FIM CM addresses to corporate Certification Authority with user credentials.

Архитектура FIM CM

Profile templates

To manage certificate and smart card life cycle processes FIM CM uses Profile Templates. Profile Template defines the following parameters:

  • The set of certificates being issued for the users.
  • The users having rights to request certificates.
  • Certificate and smart card life cycle management policies.
  • Participants of workflow.


Policies define parameters of various operations of certificates and smart card life cycle management. A lot of parameters are configured, among them the following options are set:

  • Who can initialize the operation.
  • Who can approve the operation.
  • Is self-service is enabled for the user or not.
  • Text of e-mail notifications.
  • Other parameters being specific for the operation.

The following policies can be defined in FIM CM:

  • Enroll Policy
  • Duplicate Policy
  • Renew Policy
  • Reinstate Policy
  • Recover on Behalf Policy
  • Online Updates Policy
    For certificates
  • Recover Policy
  • Revoke Policy
    For smart cards
  • Replace Policy
  • Disable Policy
  • Retire Policy
  • Unblock Policy
  • Temporary Cards Policy


Some operations can be initialized and performed automatically without administrator’s actions. This reduces administrators’ load and increases efficiency of certificate and smart card life cycle management.

For instance, when a certificate on a smart card is expired FIM CM can send the notification that smart card renewal is required. The user has just to click the link to the portal, insert the card to reader and enter PIN. Without FIM CM such optimization is impossible.


FIM CM provides a wide range of reports which allow monitoring PKI status and receiving all required information about certificate use. The list of the built-in reports is given below:

  • Request report
  • Certificate expiry summary report
  • Certificate usage
  • Smart Card inventory report
  • Smart card report
  • Smart card history report
  • Certificate template usage report
  • Certificate revocation list report
  • Profile template settings report
  • Certificate template settings report

Administrator can also receive additional information on the basis of SQL database queries.

There are several similar solutions in the market, for instance the ones from SafeNet, Gemalto companies, etc. However they are generally specified to manage smart cards of corresponding vendors. As compared to competitors FIM CM has the following advantages:

  • It can manage both smart cards and ordinary certificates.
  • It can manage smart cards issued by a wide range of vendors.
  • The management is based on flexible workflow and notification system.

Here you can get additional information about the technology described above and details of its implementation.