PIVKey Deployment Overview

This article describes how to manage the PIVKey throughout the lifecycle of the device. It is useful for testing the device, as well as for planning a production system.


Make sure the PIVKey is up and working on your PC. See for example this article on testing the PIVKey.

Install the Administration Tools

Install the admin Installer on the enrollment station or server where the digital certificates will be loaded onto the card. If you are accessing the enrollment station via RDP, the installation must be on the server, not the client. The default PIVKey Admin Installer can be found on the PIVKey Admin Download Page.

Decide how to deploy PIVKey
You can deploy PIVkey in 2 ways: installing the PIVKey Minidriver on each client device, or using the default Windows PIV minidriver in windows or a 3rd party PIV middleware.
Option 1: To deploy using the PIVKey Minidriver, simply install the User Minidriver on all machines where you want to use the card. The User Installer is available here.
Option 2: To deploy using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, you must map the PIV certificates.
Decide how to Map the PIV Certificates
WARNING: If you use the Windows PIV minidriver, make sure you finish adding certificates and mapping the keys before deploying the card. Windows caches the PIV card information, and if you change the card after deploying it, you may get a "Key Container Not Found Error".

If you want to use the Windows PIV minidriver, or any other PIV compatible middleware, the certificates must be available to the PIV smart card interface. In order to make Minidriver Certificates available to the PIV smart card interface, you will need to map the Minidriver Certificates and keys to the PIV certificates. This can be done in 2 ways.

Option 1: Run the PIVKey Tool to Map Certificates.

If you have a small deployment or cannot change the certificate template, the PIVKey Tool allows you to manually map certificates. If you have just one to three certificates, you can usually get by by running the following:

pivkeytool.exe --mapdefault --userpin "000000"

--userpin = the current User PIN.

For more information on Mapping Certificates see the article on Mapping Certificates using the PIVKey tool.

If you are deploying using the PIVKey minidriver, mapping the certificates is optional. However, if you don't map the certificates, they will not be visible using the PIV interface. If you want to use those certificates, you will have to install the PIVKey minidriver on every client machine you want to support.

Option 2: Assign the Certificate Mapping OID to the relevant CA Certificate Template.

The PIVKey Admin Minidriver parses the certificates, and recognizes the following PIVKey Specific OIDs:

PIV Certificate OID
Certificate for Authentication (9A)
Certificate for Digital Signature (9C)
Certificate for Key Management (9D)
Certificate for Card Authentication (9E)

When a certificate has the particular OID, the PIVKey Admin Minidriver recognizes that the particular certificate (and the associated key) belongs to a particular PIV slot and does the mapping accordingly. For more information see the Article on Mapping PIV Certificate using OIDs.

Enroll a Smart Card certificate on the card.

To manually request a certificate for PIVKey, run mmc.exe. Add the Certificate Snap In. Right click on the "Personal" directory and select "Request New Certificate".

For bulk issuance, you can use Windows Certreq.exe.

To learn more about setting up a Certificate Template on your Windows CA, and to enroll users, see the  Windows CA Section of the PIVKey knowledgebase. 

To use the PIVKey with a different CA, see the instructions for the CA. For authentication or signing certificates, we recommend that you use a CA enrollment agent that supports generating the Cryptographic keys on the PIVKey, rather than loading the keys into the card after the fact.

You can also manually load certificates using the vSEC/CMS utility, or the Windows "Certutil" utility.

If you are not using the PIVKey Certificate OIDs for mapping, make sure to run the PIVKey tool to map certificates as described above.
Change the default Admin Key and end User PIN

For test cards we recommend that you do not change the default Admin key. If you do change it make sure you store the key. You will need it if or when you block the card.

For production cards you must change the default Admin Key and User PIN prior to issuing the card to the end user.

To change the Admin Key you can use the vSEC-CMS utility, or the PIVKey Tool:

pivkeytool.exe --changeadminkey "111111111111111111111111111111111111111111111111" --adminkey "000000000000000000000000000000000000000000000000"

The default Admin Key is: "000000000000000000000000000000000000000000000000" The key is forty eight (48) zeroes which represent 24 HEX bytes.

--adminkey = the current admin key.
--changeadminkey = the new Admin Key.
If you plan to keep the Admin Key to be able to unblock the PIN, make sure you store the new Admin Key in a very secure place. Do not store the Admin Key in plain text on a networked system. Either print it out, or store it on a USB key.
If you are subject to audits of your security processes, or need very high security, consider using a Card Management system, or do not store the Admin Key at all. Instead use a random Admin Key for each card.

To change the PIN you can use the PIVKey Tool as followed:

pivkeytool.exe --changepin "111111" --userpin "000000"

--changepin = the new pin
--userpin = the current PIN, the default PIN is "000000".

You can also use the Versatile Security vSEC:CMS utility to change the user PIN and Admin Key.

For larger deployments we recommend that you use a Card Management System such as Microsoft Forefront Identity Manager, or Versatile Security CMS. This ensures the security of the keys, and the auditability of the processes.

WARNING: Authenticating with the wrong Admin Key will block the card after 5 tries. Make sure you verify you are using the correct Admin Key.


Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk