Configuring Microsoft Certificate Templates

This section describes how to make Microsoft certificate templates PIV/PIV-I/CIV compliant.

To create a PIV Personal Identity Verification (technical standard of "HSPD-12"), PIV-I Personal Identity Verification - Interoperable or CIV Commercial Identity Verification compliant device policy, up to four PKI applications containing a digital certificate and private key will be configured on the card.

The following is the list of the PKI applications:

• PIV_AUTHENTICATION—Contains a PKI certificate and key-pair used to authenticate the user.

• CARD_AUTHENTICATION—This key and certificate (if the key is an asymmetric key) supports PIV Card Authentication for device-to-device authentication purposes (physical access). When the Card Authentication Key is a symmetric key, the CHUID Card Holder Unique Identifier authentication key map must be present and must specify the cryptographic algorithm and key storage location.

• PIV_DIGITAL_SIGNATURE—This key and certificate support the use of digital signatures for the purpose of document signing.

• PIV_ENCRYPTION—This key and certificate support the use of encryption for the purpose of confidentiality. This key pair is escrowed by the issuer for key recovery purposes.

Topics in this section: