To create digital IDs with the correct attributes to work with Identity as a Service, first create the templates in Microsoft CA to specify the contents of the certificate, and then configure the CA to use them correctly.
Personal Identity Verification (PIV) standards-based certificates
● PIV is based on the U.S. government standard (FIPS 201) for identifying employees and contractors who have access to federal facilities and federal information systems. Developed by the NIST Computer Security Division in response to the 2004 Homeland Security Presidential Directive 12 (HSPD 12), PIV is based on the issuance of smart cards with biometric identification.
● PIV certificates are supported on Windows 7 and later operating systems.
● PIV can be used for both physical and logical access, both of which can be supported on the same smart card.
Creating the PIV Authentication and PIV - Content Signer templates enables you to create a one key-pair credential. Creating all templates allows you to make a four key-pair credential.
The procedures in this section describe how to create the following templates:
Template name |
Certificate used for |
|---|---|
PIV - PIV Authentication |
Can be used for physical or logical access—requires a PIN in either case. See Create PIV - PIV Authentication certificate template. |
PIV - Card Authentication |
Usually used for physical access only—no PIN required. See Create the PIV - Card Authentication certificate template. |
PIV - Digital Signature |
Used to sign email or secure files. See Create the Digital Signature certificate template. |
PIV - Key Management |
Used to encrypt email or secure files and manage keys. See Create the PIV - Key Management template. |
PIV - Content Signer (device) |
· Used to sign biometric identification information. · Used to sign hashes of other smart credential content. These are used for additional smart card authentication according to the PIV standards. Note: This template is mandatory. See Create the PIV - Content Signer (device) certificate template. |
Once you have created the certificates, you need to make them available for issuance. You also need permit the serialNumber to be added to the Subject DN of issued certificates and permit the piv-interim extension in issued certificates. See Make PIV certificates available for issuance.
IMPORTANT: Before you begin, complete the procedure, Set Certificate Authority permissions.