Configuring Microsoft Certificate Templates

This section describes how to make Microsoft certificate templates PIV/PIV-I/CIV compliant.

To create a PIV, PIV-I or CIV compliant device policy, up to four PKI applications containing a digital certificate and private key will be configured on the card.

The following is the list of the PKI applications:

  • PIV_AUTHENTICATION—Contains a PKI certificate and key-pair used to authenticate the user.

  • CARD_AUTHENTICATION—This key and certificate (if the key is an asymmetric key) supports PIV Card Authentication for device-to-device authentication purposes (physical access). When the Card Authentication Key is a symmetric key, the CHUID Card Holder Unique Identifier authentication key map must be present and must specify the cryptographic algorithm and key storage location.

  • PIV_DIGITAL_SIGNATURE—This key and certificate support the use of digital signatures for the purpose of document signing.

  • PIV_ENCRYPTION—This key and certificate support the use of encryption for the purpose of confidentiality. This key pair is escrowed by the issuer for key recovery purposes.

PIV and PIV-I Certificate Templates

The same CA certificate templates cannot be used for both PIV and PIV-I environments due to differences in the policy configuration.

Therefore, new CA certificate templates dedicated to PIV-I must be defined in the CA, one per PIV certificate.

The procedures in this section apply to both PIV and PIV-I environments, and the mode-related configuration is specified where applicable.

Warning!
The issuer should NOT use the PIV-I policy OIDs directly, but instead use their own OIDs that can be mapped later to the PIV-I OIDs via cross-certification.

Getting Started

  1. Run mmc.exe to open the Microsoft Management Console.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Available snap-ins window, click Certificate Template, and then click Add.

  4. Click OK.

  5. In the console tree, expand your CA.

  1. In the list of templates provided by default by Microsoft CA, right-click on Smartcard Logon template, and select Duplicate Template.

  2. In the Issuance Requirements tab, edit the settings as follows:

    1. Select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

    2. From the Application policy drop-down list, select Certificate Request Agent.

    3. Select the Same criteria as for enrollment option.

  3. Click OK.

  4. In the Request Handling tab, from the Purpose drop-down list, select Signature and smartcard logon.

  5. Select the Prompt the user during enrollment option, and click OK.

  6. In the Subject Name tab, select the Supply in the request option. The Subject Name is supplied by ActivID CMS.

  7. Click OK.

  8. If available, select the Cryptography tab and set the Algorithm name, Minimum key size (should be set to 2048), and Hash algorithm (should be set to SHA256). Then, click OK.

  9. In the Extensions tab, in the Extensions included in this template section, select Application Policies.

    Note:

    • If required to support specific applications, the extension may include the anyExtendedKeyUsage value.

    • If anyExtendedKeyUsage is not included, the following 3 values for keyPurposeID must be included:

      • Smart Card Logon,

      • TLS Client Authentication and

      • id-pkinit-KPClientAuth.

      Additional key purposes may be specified.

    • Organizations that choose not to include the anyExtendedKeyUsage value may experience interoperability issues if the specific EKU required by an application is absent.

    • anyExtendedKeyUsage is named Any Purpose in Microsoft CA. This label can be customized.

  10. Review the Description of Application Policies information.

  11. In the Extensions included in this template section, select Issuance Policies and click Edit.

  12. Click Edit.

  13. Enter the required information according to the mode:

    Field

    PIV

    PIV-I

    Name

    id-fpki-common-authentication

    id-fpki-certpcy-pivi-hardware

    Object identifier

    2.16.840.1.101.3.2.1.3.13

    2.16.840.1.101.3.2.1.3.18

  14. Click OK.

  15. Click OK.

  1. In the list of templates provided by default by Microsoft CA, right-click on the User template, and then select Duplicate Template.

  2. Select a server version, and then click OK.

  3. In the Issuance Requirements tab, select This number of authorized signatures (if it is not already selected).

  4. In the Request Handling tab, from the Purpose drop-down list, select Signature.

  5. In the Subject Name tab, click Supply in the request. The Subject Name is supplied by ActivID CMS.

  6. In the Extensions tab, in the Extensions included in this template section, select Application Policies, and then click Edit (not illustrated).

    1. In the Edit Application Policies Extension dialog, click Add.

    1. Click New.

    1. Enter:

      • Name—id-PIV-cardAuth

      • Object identifier—2.16.840.1.101.3.6.8

    1. Click OK.

    1. Highlight the id-PIV-cardAuth policy, and then click OK.

    1. In the Application policies section, remove all the policies EXCEPT id-PIV-cardAuth.

    Note: The ONLY available application policy should be id-PIV-cardAuth as illustrated above.

    1. Select the Make this extension critical option, and then click OK.

  7. In the Extensions tab, select Issuance Policies, and then click Edit.

    1. Click Add.

    1. Click New.

    1. Enter the required information according to the following mode:

    Field

    PIV

    PIV-I

    Name

    id-fpki-common-cardAuth

    id-fpki-certpcy-pivi-cardAuth

    Object identifier

    2.16.840.1.101.3.2.1.3.17

    2.16.840.1.101.3.2.1.3.19

    1. Click OK.

    1. Highlight the required policy according to the mode, and then click OK:

      • For PIV mode – id-fpki-common-cardAuth

      • For PIV-I mode – id-fpki-certpcy-pivi-cardAuth

  8. Click OK.

  1. In the list of default templates provided by Microsoft CA, right-click on the User Signature Only template, and then select Duplicate Template.

  2. Select a template, and then click OK.

  3. In the Issuance Requirements tab, select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

  4. From the Application policy drop-down list, select Certificate Request Agent.

  5. In the Subject Name tab, apply the following configuration:

    • For PIV mode, select Build from this Active Directory information. Make sure that only E-mail name is selected to be included in the alternate subject name.

      Note: If you are using a directory other than Microsoft Active Directory, select Supply in the request.

    • For PIV-I mode, select Supply in the request. The Subject Name is supplied by ActivID CMS.

  6. In the Extensions tab, in the Extensions included in this template section, select Application Policies.

  7. Verify the Description of Application Policies.

  8. Select Issuance Policies and click Edit.

    1. Click Add.

    1. Click New.

    2. Enter the required information according to the mode:

    Field

    PIV

    PIV-I

    Name

    id-fpki-common-policy

    id-fpki-certpcy-pivi-hardware

    Object identifier

    2.16.840.1.101.3.2.1.3.6

    2.16.840.1.101.3.2.1.3.18

    1. Click OK.

    1. Highlight the required policy according to the mode, and then click OK:

      • For PIV mode – id-fpki-common-policy

      • For PIV-I mode – id-fpki-certpcy-pivi-hardware

  9. Return to the Extensions tab and, in the Extensions included in this template section, select Key Usage and click Edit.

  10. Select the Digital signature and Signature is proof of origin (nonrepudiation) options.

  11. Click OK.

  1. In the list of default templates provided by Microsoft CA, right-click on the Exchange User template, and then select Duplicate Template.

  2. In the Issuance Requirements tab, select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

  3. From the Application policy drop-down list, select Certificate Request Agent.

  4. In the Subject Name tab, apply the following configuration:

    • For PIV mode, select Build from this Active Directory information. Make sure that only E-mail name is selected to be included in the alternate subject name.

      Note: If you are using a directory other than Microsoft Active Directory, select Supply in the request.

    • For PIV-I mode, select Supply in the request. The Subject Name is supplied by ActivID CMS.

  5. In the Request Handling tab, select Encryption and Archive subject’s encryption private key.

  6. In the Extensions tab, in the Extensions included in this template section, select Issuance Policies.

  7. Click Edit.

  8. Click Add.

  9. Highlight the required policy according to the mode, and then click OK:

    • For PIV mode – id-fpki-common-policy

    • For PIV-I mode – id-fpki-certpcy-pivi-hardware

  10. In the General tab, select Publish certificate in Active Directory.

  11. Click OK.

For each of the four templates, you must add the permissions for the ActivID CMS User (CMSWebSiteUser).

  1. In the Security tab, select the CMSUser.

  2. In the Permissions section, select the Enroll option, and then click OK.

  3. Repeat this procedure for the other templates.

CIV Certificate Templates

New CA certificate templates dedicated to CIV Commercial Identity Verification can be defined in the CA. You can issue CIV cards with all the CAs that are supported by ActivID CMS.

Getting Started

  1. Run mmc.exe to open the Microsoft Management Console.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Available snap-ins window, click Certificate Template, and then click Add.

  4. Click OK.

  5. In the console tree, expand your CA.

  1. In the list of templates provided by default by Microsoft CA, right-click on Smartcard Logon template, and select Duplicate Template.

  2. In the General tab, clear the Publish certificate in Active Directory option (if selected), and then click OK.

  3. In the Request Handling tab, from the Purpose drop-down list, select Signature and smartcard logon.

  4. Select the Prompt the user during enrollment option, and then click OK.

  5. In the Cryptography tab, select the Algorithm name, Minimum key size (should be set to 2048), and Hash algorithm (should be set to SHA256). Then, click OK.

  6. In the Extensions tab, in the Extension included in this template section, select Application Policies, and then click Edit.

  7. In the Description of Application Policies box, verify that the Client Authentication and Smart Card Logon policies are present, and then click OK.

  8. In the Extension included in this template section, select Issuance Policies.

  9. Verify that no issuance policies are added.

  10. In the Issuance Requirements tab, edit the settings as follows:

    1. Select the This number of authorized signatures option. This allows ActivID CMS to issue a card. In the text box, enter the required number.

    2. From the Application policy drop-down list, select Certificate Request Agent.

    3. Select the Same criteria as for enrollment option.

    4. Click OK.

  11. In the Security tab, click Authenticated Users and, in the Allow column, select the Read and Enroll permissions. Then, click OK.

  1. In the list of templates provided by default by Microsoft CA, right-click on the User template, and then select Duplicate Template.

  2. Select a template, and then click OK.

  3. In the Issuance Requirements tab, select This number of authorized signatures (if it is not already selected).

  4. In the Request Handling tab, next to Purpose, select Signature.

  5. In the Subject Name tab, select Supply in the request. The Subject Name is supplied by ActivID CMS.

  6. In the Extensions tab, in the Extensions included in this template box, select Application Policies, and then click Edit.

  7. In the Edit Application Policies Extension window, select the policy that you want to remove, and then click Remove.

  8. Delete all policies, except the Client Authentication policy. Verify the Client Authentication description and then click OK.

  9. Go back to the Extensions tab and select Issuance Policies, and then click Edit.

  10. Verify that no issuance policies are added.

  11. Click OK.

  1. In the list of default templates provided by Microsoft CA, right-click on the User Signature Only template, and then select Duplicate Template.

  2. Select a template, and then click OK.

  3. In the Issuance Requirements tab, select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

  4. From the Application policy drop-down list, select Certificate Request Agent.

  5. In the Subject Name tab, for CIV mode, select Build from this Active Directory information. Make sure that only E-mail name is selected to be included in the alternate subject name.

    Note: If you are using a directory other than Microsoft Active Directory, select Supply in the request.

  6. In the Security tab, in the Group or user name section, select Authenticated Users.

  7. Select the Read and Enroll permissions.

  8. In the Request Handling tab, next to Purpose, select Signature.

  9. Click OK.

  1. In the list of default templates provided by Microsoft CA, right-click on the Exchange User template, and then select Duplicate Template.

  2. In the Issuance Requirements tab, select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

  3. From the Application policy drop-down list, select Certificate Request Agent.

  4. In the Subject Name tab, for CIV mode, select Build from this Active Directory information.

    Note: If you are using a directory other than Microsoft Active Directory, select Supply in the request.

  5. In the Request Handling tab, select the Encryption option.

  6. In the Extensions tab, in the Extensions included in this template section, select Issuance Policies.

  7. Verify that no issuance policies are added.

  8. In the General tab, select Publish certificate in Active Directory

  9. Click OK.