Support-Info: (CM): Renew Certificate for the CMAGENT Fails with One or more signatures did not include the required application or issuance policies

PRODUCTS INVOLVED

  • Microsoft Forefront Identity Manager 2010 R2 Service Pack 1
    • Certificate Management

PROBLEM SCENARIO DESCRIPTION

Certificate management – renewal of the CLM agent certificate does not work.

ERROR MESSAGE

Error(s): One or more signatures did not include the required application or issuance policies. The request is missing one or more required valid signatures. 0x8009480b-2146875381

CAUSE

The general cause of this issue, is that the Smart Card Template had the property “Number of Authorized Signatures” set to 1.  There was no Signing Certificate found to sign the certificates, so the request failed.  Likely because the CLM Agent Certificate is the Signing Certificate.

NOTE This is appropriate for a Smart Card.  However, not the CLMAgent Certificate.  The CLMAgent Certificate is usually manually created and renewed by an Administrator.

 

NOTE
  • While storing the CMAgent certificate on a Smart Card may be possible, one might encounter other issues
    1. Smart Card Reader must be attached and Smart Card Reader must be in the reader all the time
    2. PIN caching must be enabled (at-least process wide)
    3. If Admin Key Diversification is Enabled, the same Smart Card must be reused and in case of lost or damage, it can be a really bad experience. (Especially if the key material on the Smart Card cannot be exported/.backed up, which is usually the case.)

RESOLUTION

Check the certificate that needs to be renewed

  1. Log on to the Certificate Management Server as the CLM Agent Account
  2. Open the Certificate Snap-In, Personal Store
  3. There should be a CLMAgent or CMAgent Certificate (*NOTE: The name may vary depending on solution)
  4. Select the Details Tab and then Certificate Template Information (*NOTE: This will help to identify the certificate template that has been utilized.)

 

  1. Once you have identified the Certificate Template, locate the Template
    1. Navigate to the CA and open the Certificate Templates snap-in (not certificates)
    2. Locate the MIM CM Signing Template
    3. Select the Issuance Requirements tab

  1. Temporarily de-select the CA Certificate Manager Approval and This number of authorized signatures
  2. Click Ok
  3. Renew the CLM Agent Certificate
  4. Then, if your business rules ask for it, revert the template back by selecting the items in (d).

ADDITIONAL INFORMATION

Support / Additional Links

Product Documentation