Managing Mobile App Certificates

Mobile app certificates are managed similarly to smart cards, in that:

  • They can be enrolled in the User Portal. (This setting must be enabled; for details, see Setting Parameters for Devices.)

  • They can be managed in the Help Desk.

However, they differ with respect to smart cards in that:

  • Only basic Help Desk operations (Hold/Resume/Applications Update/Terminate) are available.

  • Only basic operations are available in the User Portal (for example, device update, but no reporting of a lost device).

  • There is no PIN application.

  • Enrollment of mobile app certificates is not available in the Operator Portal.

Mobile devices containing mobile app certificates are considered “secondary” devices, as opposed to smart cards or smart USB keys being “primary” devices. This means that mobile app certificates can only be issued for users that already have a primary device. In a FIPS 201 Federal Information Processing Standard 201 (NIST standard for HSPD-12/PIV).-compliant environment, these mobile app certificates are considered “derived PIV Personal Identity Verification (technical standard of "HSPD-12") credentials.” For more information, refer to About Derived Credentials.

Note:

  • For mobile app certificates, this version of ActivID CMS supports Apple devices (phones, tablets) running iOS 10 or higher.

  • For the issuance of mobile app certificates, this version of ActivID CMS supports both the Microsoft and Entrust Certificate Authorities. Please contact your HID Global reseller for information about extended environment support.

Prerequisites for Using Mobile App Certificates

For details about issuing credentials (mobile app certificates) for mobile devices on the User Portal, refer to the ActivID CMS User online documentation.

Mobile Device Profile (for Mobile App Certificates)

ActivID CMS provides a dedicated profile for mobile app certificates used on mobile devices.

ActivID CMS Mobile Device Profile

Item

Description

Profile name

PIV 1024-2048 Profile for Mobile Devices

Profile description

Profile with PIV Personal Identity Verification (technical standard of "HSPD-12") AUTH, PIV DIGSIG, PIV ENC keys for Mobile Devices

Supported feature(s)

  • One PKI application named PIV_AUTHENTICATION (mandatory)

  • One PKI application named PIV_DIGITAL_SIGNATURE (optional)

  • One PKI application named PIV_ENCRYPTION (optional)

PIN Policy

  • No PIN application
Note:

  • To support the issuance of mobile app certificates for mobile devices, a CA of the “Microsoft Certificate Authority” or “Entrust Certificate Authority” type is required.

  • When configuring the applications of the mobile device profile, only the certificate templates that do not archive the subject's encryption private key are available for selection.

For more details about this device profile, refer to Device Profiles and Hardware Devices.

About Derived Credentials

In ActivID CMS, the ability to issue credentials (mobile app certificates) on a mobile device depends on the existence of another credential managed by ActivID CMS, considered a “primary” credential: a smart card or a virtual smart card (VSC). The enrollment process required for the issuance of the primary credential, such as capturing user data (name, email address, phone number, picture, fingerprint, ID or passport documents, etc.) and the following vetting system (background check, identity proofing), does not need to be repeated when issuing new credentials to the same user. Instead, ActivID CMS can issue a new credential (“derived credential”) to the same user based on the validity of the earlier credential (“primary credential”).

ActivID CMS will maintain a link between the primary and derived credentials – but each credential will contain separate certificates and have their own lifecycle. For example, a user may get a replacement device and keep the same mobile app certificates unchanged; or vice versa, a user may get a new phone, without impacting his/her smart card.

In the case of encryption certificates, ActivID CMS will issue the same encryption certificate on all devices assigned to a given user, to enable viewing encrypted emails whatever system is used to access them (for example, a Windows PC or a mobile phone).

ActivID CMS is designed for compliance with “Derived PIV Credentials,” as defined in NIST National Institute of Standards and TechnologyFIPS Federal Information Processing Standard 201-2 and NIST SP 800-157. In this model, the “primary credential” is a PIV Personal Identity Verification (technical standard of "HSPD-12"), PIV-I Personal Identity Verification - Interoperable or CIV Commercial Identity Verification card, containing Authentication, Signature and Encryption certificates, and the associated mobile device (phone or tablet) is a “derived PIV credential” also containing Authentication, Signature and Encryption certificates.

For each user, the primary device (PIV, PIV-I or CIV card) must be issued first. New authentication, signature and encryption certificates are present on each card; the encryption certificate is escrowed on the CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. by ActivID CMS and now considered a “shared encryption credential.” When the mobile app certificates are issued, new signature and authentication certificates are created for the mobile device; the “shared encryption” certificate is recovered on the mobile device.

For added security, the system checks the validity of the primary device (PIV device) again 7 days after the issuance of a PIV derived credential. If the PIV device had been reported as stolen during that period, the mobile device is then terminated.

The link between a primary device and its derived device(s) is managed automatically by ActivID CMS: no additional operation is required from a Help Desk operator.

More specifically, this means:

  • Any revocation action performed on a shared encryption certificate automatically revokes the encryption certificates on all devices where it is present (card or mobile device).

  • When a user name changes, requiring a PIV device update, an operator can also request similar updates for any derived credentials.

  • Terminating a primary device (with no replacement issued) also terminates all its derived devices automatically.

Important: To avoid inadvertent termination of derived credentials, it is not recommended to issue a derived credential from a temporary card or, in a FIPS 201-compliant environment, when the primary PIV credential is going to expire in less than 7 days.

Examples of Typical Use Cases for Mobile App Certificates

In all the following cases, both the primary PIV Personal Identity Verification (technical standard of "HSPD-12") device and the derived mobile device are intended to each have 3 certificates:

  • 1 authentication (AUTH) certificate

  • 1 signature (SIGN) certificate

  • 1 encryption (ENC) certificate.

The encryption certificate is shared between the PIV device and the mobile device.

The PIV device initially contains 3 credentials:

  • AUTH_1: authentication certificate

  • SIGN_1: signature certificate

  • ENC_1: encryption certificate

The PIV device also stores historical encryption certificates whereas the mobile device stores only the newest shared encryption certificate.

The certificate status is indicated by its color:

  • Active

  • On Hold

  • Revoked

The end user has a PIV Personal Identity Verification (technical standard of "HSPD-12") device with 3 credentials (AUTH_1, SIGN_1, ENC_1) and a mobile device with only 1 authentication certificate (AUTH_2). The organization now wants to extend capabilities provided on the mobile device by adding 1 new signature certificate and 1 encryption certificate (shared with the PIV device).

Initial state:

  • The PIV device is active, as well as all its credentials.

  • The mobile device is active as well as its credential (1 authentication certificate).

Operations:

  1. Create an applications update request for the mobile app certificate (using the Help Desk). For details, see Requesting an Applications Update.

  2. Execute the applications update request on the mobile device (using the User Portal). For details, refer to the ActivID CMS User online documentation.

Result:

  • The mobile device now has 3 certificates: 1 new signature certificate (SIGN_2) and 1 recovered encryption certificate (ENC_1, from the shared encryption credential of the PIV device), in addition to the existing authentication certificate.

    Operation

    PIV Device

    Mobile Device

    1. Initial state

    AUTH_1

    SIGN_1

    ENC_1

    AUTH_2

    2. Create applications update request for mobile app certificates (Help Desk)

    AUTH_1

    SIGN_1

    ENC_1

    AUTH_2

    3. Execute update request on mobile device (User Portal)

    AUTH_1

    SIGN_1

    ENC_1

    AUTH_2

    SIGN_2

    ENC_1
    Important: Since only one mobile app certificates device policy can be defined at a given time, you will need to unassign the old policy for previously issued mobile app certificates in order to perform an update. Make sure that the Initial Issuance assignment is selected for the target device policy.

The PIV Personal Identity Verification (technical standard of "HSPD-12") device was declared as lost or stolen and its credentials are suspended. The mobile device is unaffected, except for the shared encryption credential.

The replacement PIV device is issued and has a new encryption certificate so the mobile device needs to be updated in order to have the same shared encryption certificate.

Initial state:

  • An incident has been declared for the PIV device.

  • The derived mobile device is active but its encryption certificate is suspended.

Operations:

  1. Issue the replacement PIV device. For details, see Requesting a Replacement Device. (The initial PIV device is then terminated automatically).

  2. Create an applications update request for the mobile app certificates (using the Help Desk), in order to recover the new encryption certificate (manual operation). For details, see Requesting an Applications Update.

  3. Update the mobile device (on the User Portal). For details, refer to the ActivID CMS User online documentation.

Result:

  • The replacement PIV device is issued with 3 new credentials as well as the previous encryption certificate (recovered). This device becomes the current PIV device for the end user.

  • The initial PIV device is terminated and its credentials are revoked (since it was declared lost or stolen).

  • The mobile device is updated by adding the new encryption certificate shared with the replacement PIV device.

Operation

Initial PIV Device

Replacement PIV Device

Mobile Device

1. Initial state

AUTH_1

SIGN_1

ENC_1

N/A

AUTH_2

SIGN_2

ENC_1

2. Issue replacement PIV device

 AUTH_1

SIGN_1

ENC_1

AUTH_3

SIGN_3

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

3. Terminate initial PIV device

AUTH_1

SIGN_1

ENC_1

AUTH_3

SIGN_3

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

4. Create applications update request for mobile app certificates (Help Desk)

AUTH_1

SIGN_1

ENC_1

AUTH_3

SIGN_3

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

5. Update mobile device (User Portal)

AUTH_1

SIGN_1

ENC_1

AUTH_3

SIGN_3

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_2

ENC_1

Note: After a mobile device is updated with a new encryption certificate, the former certificate remains installed on the device unless it is manually removed; however, it is no longer displayed in the device profile on the Help Desk.

The mobile device containing mobile app certificates must be terminated (for example, declared lost or stolen) and new mobile app certificates need to be issued for the replacement device.

After the mobile device is terminated, its associated primary device (PIV Personal Identity Verification (technical standard of "HSPD-12") device) needs to be updated in order to add a new encryption certificate. Then (and only then) the new mobile app certificates are issued, including the new encryption certificate that has been added to the PIV device.

Initial state:

  • The PIV device is active, as well as all its certificates.

  • The mobile device is active, as well as all its certificates, but needs to be terminated.

Operations:

  1. Terminate the initial mobile device (manual operation). For details, see Terminating a Device.

  2. Create an applications update request for the PIV device, in order to add a new encryption certificate (manual operation). For details, see Requesting an Applications Update.

  3. Update the PIV device. For details, see Updating Applications on Devices.

  4. Issue a new set of mobile app certificates for the new mobile device (on User Portal). For details, refer to the ActivID CMS User online documentation.

Result:

  • The PIV device has an additional (new) encryption certificate.

  • The initial mobile device is terminated. Its credentials (mobile app certificates) are revoked.

  • A new set of mobile app certificates are issued which contains the newest encryption certificate (shared with the PIV device).

Operation

PIV Device

Lost/Stolen Mobile Device

New Mobile Device

1. Initial state

AUTH_1

SIGN_1

ENC_1

AUTH_2

SIGN_2

ENC_1

N/A

2. Terminate the mobile device (mobile app certificates)

AUTH_1

SIGN_1

ENC_1

AUTH_2

SIGN_2

ENC_1

N/A

3. Create an applications update request for PIV device

AUTH_1

SIGN_1

ENC_1

AUTH_2

SIGN_2

ENC_1

N/A

4. Update PIV device

AUTH_1

SIGN_1

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

N/A

5. Issue a new set of mobile app certificates for new mobile device

AUTH_1

SIGN_1

ENC_2

ENC_1

AUTH_2

SIGN_2

ENC_1

AUTH_3

SIGN_3

ENC_2