This article describes how to manage the PIVKey throughout the lifecycle of the device. It is useful for setting up a test environment, as well as for planning a production system.
Prerequisites
Make sure the PIVKey is up and working on your PC, see this article on testing the PIVKey.
Install the Administration Tools
Install the Admin Installer on the enrollment station or server where the digital certificates will be loaded onto the card. If you are accessing the enrollment station via RDP, the installation must be on the server, not the client. The default PIVKey Admin Installer can be found on the PIVKey Admin Download Page.
If you want to use the Windows PIV minidriver, or any other PIV compatible middleware, the certificates must be available to the PIV smart card interface. In order to make Minidriver Certificates available to the PIV smart card interface, you will need to map the certificates and keys to the PIV certificate slots. This can be done in two ways.
Option 1 for mapping: Run the PIVKey Tool to Map Certificates.
If you have a small deployment or cannot change the certificate template on the server, the PIVKey Tool allows you to manually map certificates. If you have just one to three certificates, you can usually get by by running the following:
pivkeytool.exe --mapdefault --userpin "000000"
Variable
--userpin = the current User PIN.
For more detailed information on this type of mapping see the article on Mapping Certificates using the PIVKey tool.
If you are deploying using the PIVKey minidriver, mapping the certificates is optional. However, if you don't map the certificates, they will not be visible using the standard PIV interface (such as with the Windows smart card minidriver). If you want to use certificates that are not mapped, you will have to install the PIVKey minidriver on every client machine you want to support.
Option 2 for mapping: Assign the Certificate Mapping OID to the relevant CA Certificate Template.
The PIVKey Admin Minidriver parses the certificates, and recognizes the following PIVKey Specific OIDs:
PIV Certificate | OID |
Certificate for Authentication (9A) | 1.3.6.1.4.1.44986.2.1.1 |
Certificate for Digital Signature (9C) | 1.3.6.1.4.1.44986.2.1.0 |
Certificate for Key Management (9D) | 1.3.6.1.4.1.44986.2.1.2 |
Certificate for Card Authentication (9E) | 1.3.6.1.4.1.44986.2.5.0 |
When a certificate has the particular OID, the PIVKey Admin Minidriver recognizes that the particular certificate (and the associated key) belongs to a particular PIV slot and does the mapping accordingly. For more information on this type of mapping see the article Mapping PIV Certificate using OIDs.
Enroll a Smart Card certificate on the card
To manually request a certificate for PIVKey, run mmc.exe. Add the Certificate Snap In. Right click on the "Personal" directory and select "Request New Certificate".
For bulk issuance, you can use Windows Certreq.exe.
To learn more about setting up a Certificate Template on your Windows CA, and to enroll users, see the Windows CA Section of the PIVKey knowledgebase.
To use the PIVKey with a different CA, see the instructions for the CA. For authentication or signing certificates, we recommend that you use a CA enrollment agent that supports generating the Cryptographic keys on the PIVKey, rather than loading the keys into the card after the fact.
You can also manually load certificates using the vSEC_CMS utility, or the Windows "Certutil" utility.
If you are not using the PIVKey Certificate OIDs for mapping, make sure to run the PIVKey tool to map certificates if needed as described above.For test cards we recommend that you do not change the default Admin key. If you do change it make sure you store the key. You will need it if you block the card by entering the wrong user PIN too many times.
For production cards you must change the default Admin Key and User PIN prior to issuing the card to the end user.
To change the Admin Key you can use the vSEC-CMS utility, or the PIVKey Tool. At this time we do not recommend using both, see Incorrect Admin Key
The default Admin Key is: "000000000000000000000000000000000000000000000000" The key is forty eight (48) zeroes which represent 24 HEX bytes.
--adminkey = the current admin key.
To change the PIN you can use the PIVKey Tool as followed:
pivkeytool.exe --changepin "111111" --userpin "000000"
Variables:
--changepin = the new pin
--userpin = the current PIN, the default PIN is "000000".
You can also use the Versatile Security vSEC:CMS utility to change the user PIN and Admin Key.
For larger deployments we recommend that you use a Card Management System such as Microsoft Forefront Identity Manager, or Versatile Security CMS. This ensures the security of the keys, and the auditability of the processes.
WARNING: Authenticating with the wrong Admin Key will block the card after 5 tries. Make sure you verify you are using the correct Admin Key.
0 Comments