Configuring PIV-I Certificate Templates

You must configure the CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. you are using to use the right certificate extensions for your certificate templates. This includes setting the PIV-I policy OIDs. You can configure the certificate templates as you would for a PIV Personal Identity Verification (technical standard of "HSPD-12") card, with the exception to the attributes provided in the following table. The attributes must be modified as described in the table.

For further information on configuring the PIV and PIV-I certificate templates, refer to Configuring Microsoft Certificate Authority for PIV and CIV Deployments.

Warning! Never set NACI on any PIV certificate in PIV-I mode, in particular on PIV_AUTHENTICATION & CARD_AUTHENTICATION (contrary to what is done in PIV mode).
Enforcing this rule is done either by the CA itself (in its configuration) or by ActivID CMS (which does not pass NACI information to the credential provider when issuing in PIV-I mode, that is, it ignores the NACIIndicator attribute retrieved from the CPR).
Note: For Entrust CA: Two instances of Entrust CA must be created in the ActivID CMS Repository in order to create the four PKI templates that are needed (this is the same for PIV or PIV-I cards). The Card Authentication certificate template, as shown in the following table, is configured with serial number.
TPIV-I Data Model

PKI Slot

Certificate Attribute

Card_Authentication

Authentication

Digital_Signature

Encryption

SubjectName

serialNumber=UUID, ou=Affiliated Organization Name,{Base DN}

serialNumber=UUID, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}

cn=Subscriber's full name, ou=Affiliated Organization Name,{Base DN}

cn=Subscriber's full name, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}

cn=Subscriber's full name, ou=Affiliated Organization Name,{Base DN}

cn=Subscriber's full name, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}

cn=Subscriber's full name, ou=Affiliated Organization Name,{Base DN}

cn=Subscriber's full name, ou=Unaffiliated, ou=Entity CA’s Name,{Base DN}

SubjectAltName

URI = UUID

 

URI = UUID

OtherName = UPN

Rfc822Name = user email

Rfc822Name = user email

keyUsage

Signature

Critical

Signature

Critical

Signature and non-repudiation

Critical

Key encipherment
Key agreement

Critical

Enhanced Key Usage

2.16.840.1.101.3.6.8

id-PIV-cardAuth

Critical

1.3.6.1.4.1.311.20.2.2
Smart Card Logon

1.3.6.1.5.5.7.3.2

TLS Client authentication

1.3.6.1.5.2.3.4

id-pkinit-KPClientAuth

1.3.6.1.5.5.7.3.4
id-kp-emailProtection

1.3.6.1.4.1.311.10.3.12

MSFT Document Signing

1.2.840.113583.1.1.5

Adobe Certified Document Signing

 

Certificate Policy

2.16.840.1.101.3.2.1.3.19

id-fpki-certpcy-pivi-cardAuth

2.16.840.1.101.3.2.1.3.18

id-fpki-certpcy-pivi-hardware

2.16.840.1.101.3.2.1.3.18

id-fpki-certpcy-pivi-hardware

2.16.840.1.101.3.2.1.3.18

id-fpki-certpcy-pivi-hardware

Authority Info access

1.3.6.1.5.5.7.48.1
OCSP access method

1.3.6.1.5.5.7.48.2
Certificate Authority Issuer access method

1.3.6.1.5.5.7.48.1
OCSP access method

1.3.6.1.5.5.7.48.2
Certificate Authority Issuer access method

1.3.6.1.5.5.7.48.1
OCSP access method

1.3.6.1.5.5.7.48.2
Certificate Authority Issuer access method

1.3.6.1.5.5.7.48.1
OCSP access method

1.3.6.1.5.5.7.48.2
Certificate Authority Issuer access method

CRL distribution point

LDAP and HTTP URLs

LDAP and HTTP URLs

LDAP and HTTP URLs

LDAP and HTTP URLs
Warning! Issuer should NOT use the PIV-I policy OIDs above directly, but use its own OIDs that can be mapped later to the PIV-I OIDs via cross certification.