Introducing Certificate Lifecycle Manager (CLM) 2007 Part Deuce…

As promised, after returning from rainy Seattle, I sat down and attempted to collect my thoughts about CLM into some form of a comprehensive review. So… here we go.

Overall, I like CLM. I also think that purchasing Alacris (idNexus), rebranding it CLM, and then tying into Identity Lifecycle Manager was the right step for Microsoft. After all, digital certificates are a cornerstone to representing a person’s identity within an organization. And, from a functional standpoint, Windows Certificate Services has always lacked an easy method for managing a certificate’s “lifecycle”. Which meant that organizations have either attempted to write own their own management front-ends or purchased third-party products such idNexus (hey I looped there). So to me, putting a Microsoft’ish framework into play for managing certificate “lifecycles” is music to my ears.

Anyhow, enough Microsoft self-love, let’s get to my review of CLM…

The Good:
Instead of just listing all the cool CLM features this list just contains the features that I liked the most. This is my attempt at not sounding like a broken marketing record. :>)

1. CLM places a policy and workflow layer into how certificates and smart cards are requested, enrolled, recovered, and revoked. Duh! That is the whole point of CLM. And as such, this is the best feature. Best yet, this is all based on Windows Workflow Foundation. Life is good.
2. Because CLM stores all of its data in a MSSQL server database you can now write any number of reports about the items it manages. Gone (for the most part) are the days of using ICertView, CCertAdmin, CAPICOM, etc. to pull information out of the certificate services database.
3. Even better, gone are the days of searching for certificate information across multiple CAs. The CLM database has it all and should be your one stopping destination for information. Just login into the management interface, search for a user, and see all the certificates that user was issued, the status of each certificate, and even the approval process the user went through to get each certificate.
4. CLM uses Active Directory for accounts, group, CA information. Is it sad that I’m amazed an application would actually an existing directory store for information? In any case, CLM does and it brings a tear to my eye.
5. Granted this will be a feature in Windows Server 2008. But, if you can’t wait, you can get targeted enrollment agents in CLM. Naturally, the need for this feature speaks for itself.
6. Three really cool APIs. The CLM Notification API which allows you to build notification applications based on CLM events. The CLM Provision API which allows you to build your own request processing workflows. And, the CLM SQL API allows you to programmatically place requests to CLM to perform any number of management functions.
7. Lastly, because CLM can act as a key recovery agent, users can recover their own keys. Self-service is a great thing.

The Bad:
In the name of suspense, this will be my next post.

For all of today's Microsoft news, visit the Microsoft Subnet.

• Microsoft