Configure for PIV, PIV-I, and CIV Compliance

This section describes the configuration procedures required for PIV, PIV-I and CIV-compliant smart card issuance. ActivID CMS installs the configuration files for PIV Personal Identity Verification (technical standard of "HSPD-12"), PIV-I Personal Identity Verification - Interoperable, and CIV Commercial Identity Verification card issuance. By default, PIV, PIV-I, and CIV card profiles are populated in the system.

For new installation or upgraded environment, you must perform the following steps:

  1. Import the PIV Master Keys (using either HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system. or soft mode) corresponding to your PIV card profiles into the HSM, using the Key Management System (KMS).

  2. If you want to enable PIV object signing, then edit the Digital Signatory key. Also, generate the digital signature keys on the HSM. For details, see Generate Digital Signatory Keys on an HSM.

  1. If necessary, update the ATR2Product.properties file to select the pre-issuance states associated with ATR and comment out the lines that you are not using (using #).

  2. Restart the ActivID CMS service.

Configure the Server for a PIV Workflow

Before you can issue smart cards that follow the PIV workflow, there are several settings in the ActivID CMS Operator Portal that must be configured.

  1. Log on to the ActivID CMS Operator Portal, and select the Configuration tab.

  1. Click the Security Settings menu, and then modify the following settings:

    • Smart card initial PIN display mode—Select Not displayed.

    • Authentication method when smart card is blank and bound—Select LDAP password.

  1. Select the User Portal menu, and then set the Change PIN during issuance option to Yes.