PIV and PIV-I Certificate Templates

The same CA certificate templates cannot be used for both PIV Personal Identity Verification (technical standard of "HSPD-12") and PIV-I Personal Identity Verification - Interoperable environments due to differences in the policy configuration.

Therefore, new CA certificate templates dedicated to PIV-I must be defined in the CA, one per PIV certificate.

The procedures in this section apply to both PIV and PIV-I environments, and the mode-related configuration is specified where applicable.

Warning! The issuer should NOT use the PIV-I policy OIDs directly, but instead use their own OIDs that can be mapped later to the PIV-I OIDs via cross-certification.

Getting Started

  1. Run mmc.exe to open the Microsoft Management Console.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Available snap-ins window, click Certificate Template, and then click Add.

  4. Click OK.

  5. In the console tree, expand your CA.

  1. In the list of templates provided by default by Microsoft CA, right-click on Smartcard Logon template, and select Duplicate Template.

  2. In the Issuance Requirements tab, edit the settings as follows:

    1. Select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

    2. From the Application policy drop-down list, select Certificate Request Agent.

    3. Select the Same criteria as for enrollment option.

  3. Click OK.

  4. In the Request Handling tab, from the Purpose drop-down list, select Signature and smartcard logon.

  5. Select the Prompt the user during enrollment option, and click OK.

  6. In the Subject Name tab, select the Supply in the request option. The Subject Name is supplied by ActivID CMS.

  7. Click OK.

  8. If available, select the Cryptography tab and set the Algorithm name, Minimum key size (should be set to 2048), and Hash algorithm (should be set to SHA256). Then, click OK.

  9. In the Extensions tab, in the Extension included in this template section, select Application Policies.

    Note:

    • If required to support specific applications, the extension may include the anyExtendedKeyUsage value.

    • If anyExtendedKeyUsage is not included, the following 3 values for keyPurposeID must be included:

      • Smart Card Logon,

      • TLS Client Authentication and

      • id-pkinit-KPClientAuth.

      Additional key purposes may be specified.

    • Organizations that choose not to include the anyExtendedKeyUsage value may experience interoperability issues if the specific EKU required by an application is absent.

    • anyExtendedKeyUsage is named Any Purpose in Microsoft CA. This label can be customized.

  10. Review the Description of Application Policies information.

  11. In the Extension included in this template section, select Issuance Policies and click Edit.

  12. Click Edit.

  13. Enter the required information according to the mode:

    Field

    PIV

    PIV-I

    Name

    id-fpki-common-authentication

    id-fpki-certpcy-pivi-hardware

    Object identifier

    2.16.840.1.101.3.2.1.3.13

    2.16.840.1.101.3.2.1.3.18

  14. Click OK.

  15. Click OK.

  1. In the list of templates provided by default by Microsoft CA, right-click on the User template, and then select Duplicate Template.

  2. Select a server version, and then click OK.

    If Windows Server 2008 is selected, then there is an extra tab (not illustrated) for configuring the Algorithm name, Minimum key size, and Hash algorithm (see step 6).

  3. In the Issuance Requirements tab, select This number of authorized signatures (if it is not already selected).

  4. In the Request Handling tab, from the Purpose drop-down list, select Signature.

  5. In the Subject Name tab, click Supply in the request. The Subject Name is supplied by ActivID CMS.

  6. For a Microsoft Windows 2008 Server CA, in the Cryptography tab, set the Minimum key size to 2048, and select SHA256 as the Hash algorithm.

  7. In the Extensions tab, in the Extension included in this template section, select Application Policies, and then click Edit (not illustrated).

    1. In the Edit Application Policies Extension dialog, click Add.

    1. Click New.

    1. Enter:

      • Name—id-PIV-cardAuth

      • Object identifier—2.16.840.1.101.3.6.8

    1. Click OK.

    1. Highlight the id-PIV-cardAuth policy, and then click OK.

    1. In the Application policies section, remove all the policies EXCEPT id-PIV-cardAuth.

    Note: The ONLY available application policy should be id-PIV-cardAuth as illustrated above.

    1. Select the Make this extension critical option, and then click OK.

  8. In the Extensions tab, select Issuance Policies, and then click Edit.

    1. Click Add.

    1. Click New.

    1. Enter the required information according to the following mode:

    Field

    PIV

    PIV-I

    Name

    id-fpki-common-cardAuth

    id-fpki-certpcy-pivi-cardAuth

    Object identifier

    2.16.840.1.101.3.2.1.3.17

    2.16.840.1.101.3.2.1.3.19

    1. Click OK.

    1. Highlight the required policy according to the mode, and then click OK:

      • For PIV mode – id-fpki-common-cardAuth

      • For PIV-I mode – id-fpki-certpcy-pivi-cardAuth

  9. Click OK.

  1. In the list of default templates provided by Microsoft CA, right-click on the User Signature Only template, and then select Duplicate Template.

  2. Select a template, and then click OK.

  3. In the Issuance Requirements tab, select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

  4. From the Application policy drop-down list, select Certificate Request Agent.

  5. In the Subject Name tab, apply the following configuration:

    • For PIV mode, select Build from this Active Directory information. Make sure that only E-mail name is selected to be included in the alternate subject name.

    • For PIV-I mode, select Supply in the request. The Subject Name is supplied by ActivID CMS.

  6. In the Extensions tab, in the Extensions included in this template section, select Application Policies.

  7. Verify the Description of Application Policies.

  8. Select Issuance Policies and click Edit.

    1. Click Add.

    1. Click New.

    2. Enter the required information according to the mode:

    Field

    PIV

    PIV-I

    Name

    id-fpki-common-policy

    id-fpki-certpcy-pivi-hardware

    Object identifier

    2.16.840.1.101.3.2.1.3.6

    2.16.840.1.101.3.2.1.3.18

    1. Click OK.

    1. Highlight the required policy according to the mode, and then click OK:

      • For PIV mode – id-fpki-common-policy

      • For PIV-I mode – id-fpki-certpcy-pivi-hardware

  9. Return to the Extensions tab and, in the Extension included in this template section, select Key Usage and click Edit.

  10. Select the Digital signature and Signature is proof of origin (nonrepudiation) options.

  11. Click OK.

  1. In the list of default templates provided by Microsoft CA, right-click on the Exchange User template, and then select Duplicate Template.

  2. In the Issuance Requirements tab, select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

  3. From the Application policy drop-down list, select Certificate Request Agent.

  4. In the Subject Name tab, apply the following configuration:

    • For PIV mode, select Build from this Active Directory information. Make sure that only E-mail name is selected to be included in the alternate subject name.

    • For PIV-I mode, select Supply in the request. The Subject Name is supplied by ActivID CMS.

  5. In the Request Handling tab, select Encryption and Archive subject’s encryption private key.

  6. In the Extensions tab, in the Extension included in this template section, select Issuance Policies.

  7. Click Edit.

  8. Click Add.

  9. Highlight the required policy according to the mode, and then click OK:

    • For PIV mode – id-fpki-common-policy

    • For PIV-I mode – id-fpki-certpcy-pivi-hardware

  10. In the General tab, select Publish certificate in Active Directory.

  11. Click OK.

For each of the four templates, you must add the permissions for the ActivID CMS User (CMSWebSiteUser).

  1. In the Security tab, select the CMSUser.

  2. In the Permissions section, select the Enroll option, and then click OK.

  3. Repeat this procedure for the other templates.