Configure Microsoft CA for PIV certificate templates
About PIV certificate templates and permissions
To create digital IDs with the correct attributes to work with Identity as a Service, first create the templates in Microsoft CA to specify the contents of the certificate, and then configure the CA to use them correctly.
Personal Identity Verification (PIV) standards-based certificates
- PIV is based on the U.S. government standard (FIPS 201) for identifying employees and contractors who have access to federal facilities and federal information systems. Developed by the NIST Computer Security Division in response to the 2004 Homeland Security Presidential Directive 12 (HSPD 12), PIV is based on the issuance of smart cards with biometric identification.
- PIV certificates are supported on Windows 7 and later operating systems.
- PIV can be used for both physical and logical access, both of which can be supported on the same smart card.
PIV certificate templates
Creating the PIV Authentication and PIV - Content Signer templates enables you to create a one key-pair credential. Creating all templates allows you to make a four key-pair credential.
The procedures in this section describe how to create the following templates:
| Template name | Certificate used for |
|---|---|
| PIV - PIV Authentication | Can be used for physical or logical access—requires a PIN in either case. See Create the PIV - PIV Authentication certificate template. |
| PIV - Card Authentication | Usually used for physical access only—no PIN required. See Create the PIV - Card Authentication certificate template. |
| PIV - Digital Signature | Used to sign email or secure files. See Create the Digital Signature certificate template. |
| PIV - Key Management | Used to encrypt email or secure files and manage keys. See Create the PIV - Key Management template. |
| PIV - Content Signer (device) |
Note: This template is mandatory. |
Once you have created the certificates, you need to make them available for issuance. You also need permit the serialNumber to be added to the Subject DN of issued certificates and permit the piv-interim extension in issued certificates. See Make PIV certificates available for issuance.
Before you begin, complete the procedure, Set Certificate Authority permissions.
Topics in this section
Create the PIV - PIV Authentication certificate template
Use this procedure to create the PIV-PIV Authentication certificate template.
Set Certificate Authority permissions
After you create the PIV-PIV Authentication certificate template, you need to set the following permissions required to issue certificates with Microsoft CA:
Create the PIV - Card Authentication certificate template
1. On the Microsoft CA machine, go to Start \> Windows Administrative Tools \> Certification Authority.
Create the Digital Signature certificate template
1. On the Microsoft CA machine, go to Start \> Windows Administrative Tools \> Certification Authority.
Create the PIV - Key Management template
1. On the Microsoft CA machine, go to Start \> Windows Administrative Tools \> Certification Authority.
Create the PIV - Content Signer (device) certificate template
1. On the Microsoft CA machine, go to Tools and select Certification Authority.
Make PIV certificates available for issuance
Once you have created the certificates, you need to make them available for issuance. You also need permit the serialNumber to be added to the Subject DN of issued certificates and permit the piv-interim extension in issued certificates.