Mapping a PIV Certificate using an OID

Note: Automatic Certificate Mapping requires PIVKey Admin Product version 7.1 or later.

To be recognized on the PIV Smart Card interface, a certificate must be mapped to one of the PIV certificate key slots. This can be done by including one of the following OIDs to the Certificate Template you want to assign to the particular slot.  You will need a separate Smart Card Certificate template for each PIV certificate key slot to be mapped.

Note: To learn more about how to create and customize certificate templates, see the Windows CA Section of the PIVKey knowledgebase

The following examples show how to map a Smartcard User or Logon certificate to the PIV 9A Authentication OID in the certificate template set-up.  (Note that this example reflects the mapping necessary for user logon when the PIVKey software will not be installed on the user or client machines.)  Two examples are shown because Windows Server 2008 R2 looks a bit different than Windows Server 20012 R2 and Windows Server 2016.

Windows Server 2008 R2:

To add the OID to the template in Windows Server 2008 R2, open the Server Manager on the Windows CA server, and open the relevant certificate template.

Select the "Extensions" tab. click on "Application Policies" and click "add" to add a new OID.

Windows Server 2012 R2 and Windows Server 2016:

To add the OID to the template in Windows Server 2012 R2 or Windows Server 2016, in the Server Manager, go to Tools, choose Certificate Authority.  Expand your server name, right click the Certificate Templates folder and choose Manage.  A new window opens with a list of templates will be in the middle pane.  (For template creation screen shots, see the articles about setting up certificate templates in the Windows CA section of the PIVKey knowledgebase. )

Right click the relevant certificate template and choose Properties.


Select the Extensions tab, then Application Policies, and Edit.


Select Add...


Then New



Give the new OID a name (we suggest you include the slot name in the title, as shown above in the example "PIVKey Mapped to Certificate for Authentication (9A)"). This application policy will show the name, but only on computers associated with the domain.


Below are the OIDs (Object Identifiers) for the PIV slots.

PIV Certificate  OID
Certificate for Authentication (9A)
Certificate for Digital Signature (9C)
Certificate for Key Management (9D)
Certificate for Card Authentication (9E)
Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk