Support-Info: (CM): Renew Certificate for the CMAGENT Fails with One or more signatures did not include the required application or issuance policies

Article
04/23/2018

PRODUCTS INVOLVED

Microsoft Forefront Identity Manager 2010 R2 Service Pack 1
- Certificate Management

PROBLEM SCENARIO DESCRIPTION

Certificate management – renewal of the CLM agent certificate does not work.

ERROR MESSAGE

Error(s): One or more signatures did not include the required application or issuance policies. The request is missing one or more required valid signatures. 0x8009480b-2146875381

CAUSE

The general cause of this issue, is that the Smart Card Template had the property "Number of Authorized Signatures" set to 1. There was no Signing Certificate found to sign the certificates, so the request failed. Likely because the CLM Agent Certificate is the Signing Certificate.

NOTE

This is appropriate for a Smart Card. However, not the CLMAgent Certificate. The CLMAgent Certificate is usually manually created and renewed by an Administrator.

NOTE

While storing the CMAgent certificate on a Smart Card may be possible, one might encounter other issues
1. Smart Card Reader must be attached and Smart Card Reader must be in the reader all the time
2. PIN caching must be enabled (at-least process wide)
3. If Admin Key Diversification is Enabled, the same Smart Card must be reused and in case of lost or damage, it can be a really bad experience. (Especially if the key material on the Smart Card cannot be exported/.backed up, which is usually the case.)

RESOLUTION

Check the certificate that needs to be renewed

Log on to the Certificate Management Server as the CLM Agent Account
Open the Certificate Snap-In, Personal Store
There should be a CLMAgent or CMAgent Certificate (*NOTE: The name may vary depending on solution)
Select the Details Tab and then Certificate Template Information (*NOTE: This will help to identify the certificate template that has been utilized.)

Once you have identified the Certificate Template, locate the Template
1. Navigate to the CA and open the Certificate Templates snap-in (not certificates)
2. Locate the MIM CM Signing Template
3. Select the Issuance Requirements tab

Temporarily de-select the CA Certificate Manager Approval and This number of authorized signatures
Click Ok
Renew the CLM Agent Certificate
Then, if your business rules ask for it, revert the template back by selecting the items in (d).

ADDITIONAL INFORMATION

Support / Additional Links

[Support Tip]: FIM CM 2010 / MIM CM 2016 Admin Key Diversification and Certificate Renewal: https://blogs.technet.microsoft.com/iamsupport/2016/08/03/support-tip-fim-cm-2010-mim-cm-2016-admin-key-diversification-and-certificate-renewal/

Product Documentation

Deploying Microsoft Identity Manager Certificate Manager 2016 (MIM CM): /en-us/microsoft-identity-manager/mim-cm-deploy
Manually assigning, renewing or replacing FIM CM account certificates: /en-us/previous-versions/mim/hh149034(v=ws.10)