CIV CA Configuration

CIV Data Model

PKI Slot Certificate Attribute	Card_Authentication	Authentication	Digital_Signature	Encryption
SubjectName	serialNumber=UUID, ou=Affiliated Organization Name,{Base DN} serialNumber=UUID, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}	cn=Subscriber's full name, ou=Affiliated Organization Name,{Base DN} cn=Subscriber's full name, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}	cn=Subscriber's full name, ou=Affiliated Organization Name,{Base DN} cn=Subscriber's full name, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}	cn=Subscriber's full name, ou=Affiliated Organization Name,{Base DN} cn=Subscriber's full name, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}
SubjectAltName	URI = UUID	URI = UUID OtherName = UPN	Rfc822Name = user email	Rfc822Name = user email
KeyUsage	Signature Critical	Signature Critical	Signature and non-repudiation Critical	Key encipherment Key agreement Critical
Enhanced Key Usage	2.16.840.1.101.3.6.8 id-PIV-cardAuth Critical	1.3.6.1.4.1.311.20.2.2 Smart Card Logon 1.3.6.1.5.5.7.3.2 TLS Client authentication 1.3.6.1.5.2.3.4 id-pkinit-KPClientAuth	1.3.6.1.5.5.7.3.4 id-kp-emailProtection 1.3.6.1.4.1.311.10.3.12 MSFT Document Signing 1.2.840.113583.1.1.5 Adobe Certified Document Signing
Certificate Policy	1.3.6.1.4.1.2396.X id-actividentity-piv-certpcy-cardAuth	1.3.6.1.4.1.2396.X id-actividentity piv-certpcy-hardware	1.3.6.1.4.1.2396.X id-actividentity piv-certpcy-hardware	1.3.6.1.4.1.2396.X id-actividentity piv-certpcy-hardware
Authority Info access	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method
CRL distribution point	LDAP and HTTP URLs	LDAP and HTTP URLs	LDAP and HTTP URLs	LDAP and HTTP URLs

PKI Slot

Certificate Attribute

Card_Authentication

Authentication

Digital_Signature

Encryption

SubjectName

serialNumber=UUID, ou=Affiliated Organization Name,{Base DN}

serialNumber=UUID, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}

cn=Subscriber's full name, ou=Affiliated Organization Name,{Base DN}

cn=Subscriber's full name, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}

cn=Subscriber's full name, ou=Affiliated Organization Name,{Base DN}

cn=Subscriber's full name, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}

cn=Subscriber's full name, ou=Affiliated Organization Name,{Base DN}

cn=Subscriber's full name, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}

SubjectAltName

URI = UUID

OtherName = UPN

Rfc822Name = user email

KeyUsage

Signature

Critical

Signature

Critical

Signature and non-repudiation

Critical

Key encipherment
Key agreement

Critical

Enhanced Key Usage

2.16.840.1.101.3.6.8

id-PIV-cardAuth

Critical

1.3.6.1.4.1.311.20.2.2
Smart Card Logon

1.3.6.1.5.5.7.3.2

TLS Client authentication

1.3.6.1.5.2.3.4

id-pkinit-KPClientAuth

1.3.6.1.5.5.7.3.4
id-kp-emailProtection

1.3.6.1.4.1.311.10.3.12

MSFT Document Signing

1.2.840.113583.1.1.5

Adobe Certified Document Signing

Certificate Policy

1.3.6.1.4.1.2396.X

id-actividentity-piv-certpcy-cardAuth

1.3.6.1.4.1.2396.X

id-actividentity piv-certpcy-hardware

1.3.6.1.4.1.2396.X

id-actividentity piv-certpcy-hardware

1.3.6.1.4.1.2396.X

id-actividentity piv-certpcy-hardware

Authority Info access

1.3.6.1.5.5.7.48.1
OCSP access method

1.3.6.1.5.5.7.48.2
Certificate Authority Issuer access method

1.3.6.1.5.5.7.48.1
OCSP access method

1.3.6.1.5.5.7.48.2
Certificate Authority Issuer access method

1.3.6.1.5.5.7.48.1
OCSP access method

1.3.6.1.5.5.7.48.2
Certificate Authority Issuer access method

1.3.6.1.5.5.7.48.1
OCSP access method

1.3.6.1.5.5.7.48.2
Certificate Authority Issuer access method

CRL distribution point

LDAP and HTTP URLs

Note: In the table above, Affiliated Organization Name is the Organization Name attribute in the Active Directory or, if absent, the Company Name attribute.
If both attributes are absent, the Unaffiliated format must be used.