The CLM management interface also provides a unified tool for interfacing with
multiple Windows Certificate Authorities (CAs). You can use the CLM interface
to send certificate issuance and revocation requests to different Windows CAs
in your environment.
Another feature that PKI administrators will appreciate is CLM's powerful reporting
capabilities, which let you easily generate detailed reports of the certificate
and smart card use in your AD environment. Figure
2, shows a sample CLM report that gives a CLM request type breakdown for
a selected time period.
Besides the management Web interface, CLM includes a Web interface that lets
users manage their personal certificate and smart card details. From this interface,
users can request certificates, permanent smart cards, and temporary smart cards;
view their certificates and smart card details; and change their smart card's
PIN.
Flexibility
CLM is a flexible certificate and smart card management tool for the enterprise.
You can easily customize CLM's logic to fit your organization's certificate
and smart card management needs, and you can do most of the customizations from
the CLM management interface—no or very little custom coding is required.
Organizations that want to hide certain features from the CLM interface or include
corporate branding on the CLM Web pages might need to make some small adjustments
in CLM's Web interface and associated logic.
A good example of CLM's flexibility is the ease with which you can adapt the
CLM logic to support either a centralized or decentralized model for the issuance
of smart cards and USB tokens. In the centralized model, an administrator provisions
the smart card or token and sends it to the user, who unblocks it and then uses
it. In the decentralized model, the administrator just sends the smart card
to the user, who then provisions it.
CLM also contains a significant amount of logic that's disabled by default
and that can automate parts of the certificate or smart card issuance process.
For example, organizations can configure CLM to automatically distribute smart
card unblock codes or user smart card enrollment instructions via email.
Finally, CLM has built-in and easily customizable workflow, administrative
delegation, and self-service features. The following examples illustrate these
features:
- Workflow—from the CLM interface, you can define the number of certificate
manager approvals that are required before a user is allowed to enroll for
a given certificate type.
- Administrative delegation—a CLM administrator can delegate the approval
of enrollment requests for a subset of the AD user population—for example,
for all users in a particular AD organizational unit (OU)—to another
administrator.
- Self-service—you can allow users to initiate and complete the enrollment
for a given certificate type without any administrator intervention.
Architecture and Components
CLM is a multi-tiered Web application that leverages different Microsoft infrastructure
services and servers. CLM must be installed on a Windows Server 2003 or later
server platform. On the Web server side, CLM requires a Microsoft IIS 6.0 or
later application server that has Microsoft .NET Framework 1.1 installed. On
the Web client side, CLM is optimized to work with Microsoft Internet Explorer
(IE) 6.0 or later.
On the back end, the CLM application communicates with a Windows 2000 Server
or Windows 2003 AD and a SQL Server 2000 Service Pack 3a (SP3a) or later database
server. CLM uses the database to store its configuration and history data.
As far as CA integration is concerned, CLM links to a Windows 2003 enterprise
(i.e., AD-integrated) CA. During the CLM installation process, a CLM-specific
policy module and exit module are installed and enabled on the Windows CA (as
Figure 3 shows). The policy module allows the Windows CA to add CLM-specific
X.509 attributes to the certificates it issues. The exit module allows the Windows
CA to communicate with the CLM SQL Server database. These modules do their work
behind the scenes; you really don't work with them directly with the exception
of some configuration options that Figure
3 shows.
