Has anyone else had any success in linking their PKI certificates with their Identity Management service? I have not been able to find much related to this, and I would have thought there would be more information. What I am hoping to achieve is to use the IDM solution to perform the requests to the Microsoft CA on behalf of the user. This is to ensure all the information is correct and we can include the universal GUID (supplied by the IDM) information within the certificate. The other part is to export the certificate information and add it to the IDM profile. Such as when the certificate will expire. This way we can automate user notification and have proper contact information. I'm digging through documentation on the Web Enrollment Service but am hoping the community may have some advise. Cheers, Randal

It depends on what your IDM service is.With FIM CM/CLM you can definitely do this with the Subject or SAM plug-in policy modules and the FIM CM Management Agent.Brian

Thanks Brian for the info. Currently we (the IDM vendor and myself) are not aware of known deployments with this IDM and a MS PKI. As such I have a feeling we will need to develop something using CEnroll or ICEnroll4 if we want to automate the certificate request process for the user. The other option is to have the IDM perhaps auto fill in the request form for the user. The main part is linking the certificate authority to the IDM. I thought we could use the universal identifier and put this as the Subject Alternate Name field within the certificate. Is it possible to use this field to store 3rd party text? From my readings so far it relates to object types such as dns, email, guid, subject, etc. Can we make our own?

Not really.There is an OID that exists for GUID though (but MS will not show it, it will show the OID)For example, you could create a SAN entry that uses0.9.2342.19200300.100.1.1 = 123235231656where 123235231656 is my guidBrian