Cm error while updating
It is important to have a lifecycle strategy for the Key Recovery Agent certificates.
Designing a lifecycle strategy is outside the scope of this document.
These certificates are typically issued when the FIM CM Configuration Wizard is run.
However, these certificates can also be manually issued.
By default it is located at %Program Files%\Microsoft Forefront Identity Manager10\Certificate Management\web. These keys are used for encrypting and decrypting data collection information that has the encryption option enabled for storage in the FIM CM database.
Be aware that changes to the web.config are only local, so if you have multiple web portals, then each one will need to have their web.config updated. These keys allow a unique certificate to be referenced rather than the default certificate issued to the FIM CM Agent account.
If this is a brand new install, and you have selected the Create and configure certificate manually in the Configuration wizard, then the values in the FIM CM web.config file will be blank. If these entries are left blank then FIM CM will default to using the FIM CM Agent certificate hash.Consult the vendor or product documentation of the 3rd party certificate authority for information on how to obtain the thumbprint.These steps can be used for all 3 accounts, the FIM CM Agent, the FIM CM Enrollment Agent, and the FIM CM Key Recovery Agent.The FIM CM Agent account thumbprint also needs to be added to the certificate authority.