Introduction
From version 6.0.2.0 it is possible to migrate an existing credential template to a new template. This might be required for the following reasons:
- A new CA was deployed and needs to be used therefore all credentials that have been issued from the old CA need to be issued from the new CA;
- Additional certificates need to be issued to already issued credentials;
- A PIN policy is added or updated that needs to be set on already issued credentials.
For any of these cases above it will be required to create a new template and then any credentials managed by the old template can be migrated to this new template and updated as necessary.
Configuration
In this section we will describe with the aid of an example how this feature can be used. For the purposes of this article let's say that a new CA (Microsoft CA in this example) has been put in place. We want to migrate all existing credential templates that have been issued with certificates from the old, soon to be decommissioned, CA to the new CA. In this case we will need to do the following as described in the sections below.
Additionally, when a new template is created that an existing managed credential needs to be migrated to 2 options for updating the existing credentials are available:
- Update the credential via vSEC:CMS Operator console;
- Update the credential via vSEC:CMS User Self-Service (USS).
Create New Template
1. From Templates - Card Templates click the Add button.
Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type.
We will also add support for self-service as we want to be able to update the already managed credential via USS. Click the Manage button.
Click the Add button. Enter a name in the Template name field. Depending on what you need to perform via USS (see the article vSEC:CMS User Self-Service for more details on configuration of USS) configure similar to below.
Enable Self-service using the following template and select the template from the drop-down list.
Leave all other settings as default and click Ok to close and save.
2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection configured earlier in the drop-down list.
In this example we will presume that credentials are issued centrally via the Operator console by an Operator. Therefore, in the General section enable Issue by Operator(s).
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the new CA that is to be used and the logon certificate that is to be issued (or updated on the already managed credentials). Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click Ok to save and close the template configuration dialog.
Migrate Current Template to New Template
Now we can look to migrate the already managed credential(s) to the new template.
Navigate to Repository - Smart Cards and here you will see all of your managed credentials. In this example we will migrate just one managed credential. Select the credential that you want to migrate and right click on it and select Change Template.
Multiple credentials can be migrated during this process by selecting multiple entries that you wish to migrate.
Select from the Card template drop-down the new template that you want to migrate to. You can use the Search option to search for the new template if you know the name of the template and you have a large quantity of templates that exist in your environment.
Enable the Remove pending card template change task(s) if you wish to remove the selected credential(s) from the change template update. By default, Force user to perform card update will be enabled as typically you want the user to authenticate before the template change is allowed to progress.
Click Change to update the system.
You will notice that the Status for the credential will change with a status of Update needed now shown. We can now update the credential.
Update Credential via Operator Console
From the Operator console navigate to Actions - Update Smart Card. Attach the credential that is to be updated and you should see something like below.
Click the Update button. The attached credential will be updated with whatever changes were configured, for example, if a new CA with new Windows logon certificate was configured for the update then these changes would be applied and the certificate(s) issued from the old CA would be removed and revoked on the old CA.
Update Credential via USS
The credential can be updated from the client side too if the USS is configured to run in System tray mode (see the article vSEC:CMS User Application for details on this). If you are logging onto a client that has USS running in system tray mode and the credential you logged on with needs an update then you will see a balloon popup similar to below in bottom right of your screen.
Click the balloon which will open an update dialog like below.
Click the Update button to perform the credential update.