Replacing the Mobile Device

The mobile device containing mobile app certificates must be terminated (for example, declared lost or stolen) and new mobile app certificates need to be issued for the replacement device.

After the mobile device is terminated, its associated primary device (PIV Personal Identity Verification (technical standard of "HSPD-12") device) needs to be updated in order to add a new encryption certificate. Then (and only then) the new mobile app certificates are issued, including the new encryption certificate that has been added to the PIV device.

Initial state:

  • The PIV device is active, as well as all its certificates.

  • The mobile device is active, as well as all its certificates, but needs to be terminated.

Operations:

  1. Terminate the initial mobile device (manual operation). For details, see Terminating a Device.

  2. Create an applications update request for the PIV device, in order to add a new encryption certificate (manual operation). For details, see Requesting an Applications Update.

  3. Update the PIV device. For details, see Updating Applications on Devices.

  4. Issue a new set of mobile app certificates for the new mobile device (on User Portal). For details, refer to the HID ActivID Credential Management System User Portal User Guide.

Result:

  • The PIV device has an additional (new) encryption certificate.

  • The initial mobile device is terminated. Its credentials (mobile app certificates) are revoked.

  • A new set of mobile app certificates are issued which contains the newest encryption certificate (shared with the PIV device).

Operation

PIV Device

Lost/Stolen Mobile Device

New Mobile Device

1. Initial state

AUTH_1

SIGN_1

ENC_1

AUTH_2

SIGN_2

ENC_1

N/A

2. Terminate the mobile device (mobile app certificates)

AUTH_1

SIGN_1

ENC_1

AUTH_2

SIGN_2

ENC_1

N/A

3. Create an applications update request for PIV device

AUTH_1

SIGN_1

ENC_1

AUTH_2

SIGN_2

ENC_1

N/A

4. Update PIV device

AUTH_1

SIGN_1

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

N/A

5. Issue a new set of mobile app certificates for new mobile device

AUTH_1

SIGN_1

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

AUTH_3

SIGN_3

ENC_2