PIV CA Configuration

PIV (FIPS201-2) Data Model

PKI Slot Certificate Attribute	Card_Authentication	Authentication	Digital_Signature	Encryption
SubjectName	NULL (or FASC-N)	DN (default)	DN (default)	DN (default)
SubjectAltName	URI = UUID OtherName = FASCN Critical (if subjectDN = NULL)	URI = UUID OtherName = UPN OtherName = FASCN Critical (if SubjectDN = NULL)	Rfc822Name = user email	Rfc822Name = user email
keyUsage	Signature Critical	Signature Critical	Signature and non-repudiation Critical	Key encipherment Critical
Enhanced Key Usage	2.16.840.1.101.3.6.8 id-PIV-cardAuth Critical	1.3.6.1.4.1.311.20.2.2 Smart Card Logon 1.3.6.1.5.5.7.3.2 TLS Client authentication 1.3.6.1.5.2.3.4 id-pkinit-KPClientAuth	1.3.6.1.5.5.7.3.4 id-kp-emailProtection 1.3.6.1.4.1.311.10.3.12 MSFT Document Signing 1.2.840.113583.1.1.5 Adobe Certified Document Signing
Certificate Policy	2.16.840.1.101.3.2.1.3.17 id-fpki-common-cardAuth	2.16.840.1.101.3.2.1.3.13 id-fpki-common-authentication	2.16.840.1.101.3.2.1.3.6 id-fpki-common-policy	2.16.840.1.101.3.2.1.3.6 id-fpki-common-policy
Authority Info access	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method
CRL distribution point	LDAP and HTTP URLs	LDAP and HTTP URLs	LDAP and HTTP URLs	LDAP and HTTP URLs
Naci	Yes	Yes	No	No
Mandatory or Optional PKI Slot	Optional	Mandatory	Optional	Optional
PKI Usage Access Right	PIN always	PIN once	PIN always	PIN once