Configuring Microsoft Certificate Authority for PIV and CIV Deployments

This section explains how to configure Microsoft® Certificate Authority and ActivID Credential Management System (CMS) to issue PIV/PIV-I/CIV compliant smart cards. It provides guidelines for organizations that do not have a PIV/PIV-I/CIV-compliant Certificate Authority available. This documentation will help you set up and test a PIV/PIV-I/CIV environment using Microsoft CA templates.

This section describes how to configure Microsoft CA certificate templates and an ActivID CMS device policy to issue cards that follow the PIV Personal Identity Verification (technical standard of "HSPD-12"), PIV-I Personal Identity Verification - Interoperable, and CIV Commercial Identity Verification data models. Make sure that you first read Configuring ActivID CMS for PIV and CIV.

Also, for PIV and PIV-I, it is strongly recommended that you read the introductory sections of the HID ActivID Credential Management System PIV Toolkit Integration Guide to familiarize yourself with the PIV/PIV-I system architecture – this is not applicable to CIV.

Note: This information is intended to be used for testing, proof of concept or demonstration. Do NOT use this information in a production environment. Additional steps may be required to make Microsoft CA ready for a production environment (for example, defining a CPS, configuring CRL/OSCP details).

Configuration Overview

Prerequisites:  
  • ActivID CMS along with PIV Toolkit must be installed and fully operational.

  • Microsoft CA must be installed and you must have CA Administrator rights to be able to configure the CA and the certificate templates for PIV/PIV-I/CIV.

To set up a PIV/PIV-I/CIV environment using Microsoft CA templates, three procedures must be performed in the following order:

  1. Configure the Microsoft CA for PIV/PIV-I/CIV.

  2. Configure the Microsoft CA certificate templates for PIV/PIV-I/CIV device policy.

  3. Configure the ActivID CMS device policy.

    For the device policy configuration procedures for both PIV and PIV-I environments, refer to Configuring ActivID CMS for PIV and CIV.

  4. To test your configuration when you have completed the PIV environment setup described in this section, refer to Configuring ActivID CMS for PIV and CIV.

PIV Toolkit Overview

The ActivID CMS PIV Toolkit enables you to configure ActivID CMS to issue and manage PIV/PIV-I/CIV-compliant smart cards that conform to the U.S. Federal Government’s “Federal Information Processing Standard (FIPS) 201”.

PIV cards are issued to US federal government employees and contractors.

PIV-Interoperable (PIV-I) cards are issued to organizations that work with the US federal government, with a trust relationship with the government.

Commercial Identification Verification (CIV) cards can be issued by any organization worldwide; there is no trust relationship with the US government. These cards follow the same technical specifications, providing interoperability with PIV-compliant applications such as the Microsoft PIV Mini Driver included in recent versions of the Windows operating system.

For more information on PIV, PIV-I and CIV, refer to the Smart Card Alliance brief: http://www.smartcardalliance.org/resources/pdf/PIV_PIV-I_CIV_brief_022212.pdf

About PIV and FIPS 201

FIPS 201 Federal Information Processing Standard 201 (NIST standard for HSPD-12/PIV). defines a smart card as the device to be used to provide the appropriate security and rapid electronic authentication required by HSPD 12. FIPS 201-compliant smart cards contain multiple electronic credentials, including cryptographic keys, digital certificates, biometric templates, and other data.

There are two parts to FIPS 201:

  • PIV1 describes the minimum requirements for a system that meets the specified control and security objectives, including the identity-proofing process.

  • PIV2 provides detailed technical specifications to support the control and security objectives in PIV1 and the details for technical interoperability of PIV cards with authentication, access control and management systems across the U.S. Federal Government.

The interfaces and card architecture for storing and retrieving identity credentials from smart cards are specified in the National Institute of Standards and Technology (NIST) publication SP800-73.

Credentials issued for HSPD 12 must be:

  • Issued based on sound criteria for verifying an individual’s identity.

  • Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation.

  • Rapidly authenticated electronically.

  • Issued only by providers whose reliability has been established by an official process.

In response to HSPD 12, standards bodies, including the Interagency Advisory Board (IAB) for Equipment Standardization and Interoperability and the National Institute of Standards and Technology (NIST), defined the processes and specifications necessary to satisfy the security and interoperability requirements.

Topics in this section: