Applies ToIdentity Manager 2016 Microsoft Identity Manager 2016 SP2

Content provided by Microsoft  

Applies to:

  • Microsoft Identity Manager 2016

  • Microsoft Identity Manager 2016 SP2

Information

Periodically a company may need to replace or upgrade an issuing Certificate Authority (CA). Very often this is done together with an upgrade/migration from Forefront Identity Manager 2010 R2 (FIM 2010 R2) or Microsoft Identity Manager 2016 (MIM 2016 / MIM 2016 SP1) to MIM 2016 SP2. A common way to do this is to stand up a new server/VM to host the CA, move the CA database to the new server, and start using that new upgraded CA. If the name of the new server/VM was not the same name as the original CA server, the Certificate Template information in the Profile Template is broken, as it references the original CA name.

When upgrading a Certificate Authority that's used by a MIM CM solution it's critical to maintain the same server / computer name for server hosting the new/upgraded Certificate Authority as well as the Certificate Authority name itself.   If a different CA Server Name or CA Name is used, it will break the MIM CM solution.

  • There are multiple documentation links and posts where you can learn how to restore the CA to a server with a different server name, but doing so will break the MIM CM solution.

  • Maintaining the same CA name is straight forward, as this will be done when you follow the instructions to restore the CA onto the new server.

If the server name has been changed, the following errors may occur:

  • All Profile Template workflows attempted will result in an RPC error, CA not found error, or CA is decommissioned error.

  • Certificates issued to the original CA will not be revoked by MIM CM. They will appear to fail silently in the Portal, but will throw an exception in the MIM CM Event Log stating that the CA is decommissioned.

The following (but not only these) error messages could be logged:

  • Specified name or server name of the CA is invalid.

  • The Certificate Authority <CA-Name> cannot be contacted because it is marked as decommissioned.

Solution

If the CA is migrated to a server with a new CA Server Name that's shows an additional CA server returned in the clmutil.exe -listCa command, please do the following:

  1. Update the CA to change the CA Server Name to the original name.

  2. Restore the MIM CM database to the version backed up right before the CA server upgrade.  

References  

Microsoft Identity Manager release history  

Deploy the MIM Certificate Manager Windows application | Microsoft Learn

How to move a certification authority to another server - Windows Server | Microsoft Learn

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.