Personalize PIV Certificates with Additional Attributes

ActivID CMS provides additional customization options that you can use for the attributes set in the PIV Personal Identity Verification (technical standard of "HSPD-12") certificates.

To configure this personalization, you can use the entries of the CPR The Card Production Request (CPR) contains a list of user-specific attributes that will be stored, fully or partially, in the PIV Metadata database, and will be loaded on the PIV card during the issuance. and the configuration parameters of the PIVEnrollment.properties file. Both procedures are described in this section.

Customization Guidelines:

• These additional customization options only apply to the basic four PIV certificates. They do not apply to any additional certificates available on the card.

• These additional customization options have only been validated in a configuration with Microsoft CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment.. They may or may not work with other CAs.

1. Modify the CPR to add new entries as shown in the following example, which can also be found in ..\Tools\PIV\CPRSigning\CPR 2.1.8.sample.CertExt.xml:

   Copy

   <hsp:CertificateExtension1 CertificateIdentifiers="CardAuthentication Authentication"
         OID="1.2.3.4.5.6"
         Criticality="true">UjBsR09EbGhjZ0dTQUxNQUFBUUNBRU1tQ1p0dU1GUXhEUzhi
         </hsp:CertificateExtension1> 
   <hsp:CertificateExtension2 CertificateIdentifiers="CardAuthentication"
         OID="1.2.3.4.5.7"
         Criticality="true">UjBsR09EbGhjZ0dTQUxNQUFBUUNBRU1tQ1p0dU1GUXhEUzhi
         </hsp:CertificateExtension2> 
   <hsp:CertificateExtension3 CertificateIdentifiers="CardAuthentication"
         OID="1.2.3.4.5.8"
         Criticality="true">UjBsR09EbGhjZ0dTQUxNQUFBUUNBRU1tQ1p0dU1GUXhEUzhi
         </hsp:CertificateExtension3> 
   <hsp:CertificateExtension4 CertificateIdentifiers="CardAuthentication"
         OID="1.2.3.4.5.9"
         Criticality="true">UjBsR09EbGhjZ0dTQUxNQUFBUUNBRU1tQ1p0dU1GUXhEUzhi
         </hsp:CertificateExtension4> 

   There is no limitation to the number of attributes that can be added to personalize the PIV certificates. This example shows the addition of four certificate attribute extensions.

2. Modify the attributes for Certificate Extensions in the PIV Enrollment configuration file, in the directory %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\PIVEnrollment.properties. The attributes define the maximum number of extra certificate extensions that ActivID CMS will look for in the CPR.

   By default, the values of the attributes are the following:

   • CertificateExtensions = 4

   • CertificateExtensions_property.getproperty=CertificateExtensions

3. In the same way as in the NACI extension, the Microsoft CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. must be updated to support these new extensions. For example, to allow the certificate extension 1.2.3.4.5.6 using certutil, you have to update it as follows:

   Copy

   certutil -setreg policy\EnableRequestExtensionList +1.2.3.4.5.6

   You can use certutil to display the allowed extensions, as shown in the following example:

   Copy

   certutil -getreg policy