PIVKey Deployment Overview

This article describes how to manage the PIVKey throughout the lifecycle of the device. It is useful for setting up a test environment, as well as for planning a production system.

Prerequisites

Make sure the PIVKey is up and working on your PC, see this article on testing the PIVKey.

Install the Administration Tools

Install the Admin Installer on the enrollment station or server where the digital certificates will be loaded onto the card. If you are accessing the enrollment station via RDP, the installation must be on the server, not the client. The default PIVKey Admin Installer can be found on the PIVKey Admin Download Page.

Decide how to deploy PIVKey
 
You can deploy PIVKey in two ways: installing the PIVKey Minidriver on each client device, or using the default Windows PIV minidriver in windows or a 3rd party PIV middleware.
 
Option 1: To deploy using the PIVKey Minidriver, simply install the User PIVKey Minidriver on all machines where you want to use the PIVKeys. The User PIVKey Installer is available here.
 
Option 2: To deploy using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, you must map the certificates to the PIV slots.
 
Decide how to Map the PIV Certificates (for option 2)
 
WARNING: If you use the Windows PIV minidriver, make sure you finish adding certificates and mapping the keys before deploying the card. Windows caches the PIV card information, and if you change the card after deploying it, you may get a "Key Container Not Found Error".

If you want to use the Windows PIV minidriver, or any other PIV compatible middleware, the certificates must be available to the PIV smart card interface. In order to make Minidriver Certificates available to the PIV smart card interface, you will need to map the certificates and keys to the PIV certificate slots. This can be done in two ways.

Option 1 for mapping: Run the PIVKey Tool to Map Certificates.

If you have a small deployment or cannot change the certificate template on the server, the PIVKey Tool allows you to manually map certificates. If you have just one to three certificates, you can usually get by by running the following:

pivkeytool.exe --mapdefault --userpin "000000"

Variable
--userpin = the current User PIN.

For more detailed information on this type of mapping see the article on Mapping Certificates using the PIVKey tool.

If you are deploying using the PIVKey minidriver, mapping the certificates is optional. However, if you don't map the certificates, they will not be visible using the standard PIV interface (such as with the Windows smart card minidriver). If you want to use certificates that are not mapped, you will have to install the PIVKey minidriver on every client machine you want to support.

Option 2 for mapping: Assign the Certificate Mapping OID to the relevant CA Certificate Template.

The PIVKey Admin Minidriver parses the certificates, and recognizes the following PIVKey Specific OIDs:

PIV Certificate OID
Certificate for Authentication (9A) 1.3.6.1.4.1.44986.2.1.1
Certificate for Digital Signature (9C) 1.3.6.1.4.1.44986.2.1.0
Certificate for Key Management (9D) 1.3.6.1.4.1.44986.2.1.2
Certificate for Card Authentication (9E) 1.3.6.1.4.1.44986.2.5.0

When a certificate has the particular OID, the PIVKey Admin Minidriver recognizes that the particular certificate (and the associated key) belongs to a particular PIV slot and does the mapping accordingly. For more information on this type of mapping see the article Mapping PIV Certificate using OIDs.

Enroll a Smart Card certificate on the card

To manually request a certificate for PIVKey, run mmc.exe. Add the Certificate Snap In. Right click on the "Personal" directory and select "Request New Certificate".

For bulk issuance, you can use Windows Certreq.exe.

To learn more about setting up a Certificate Template on your Windows CA, and to enroll users, see the  Windows CA Section of the PIVKey knowledgebase. 

To use the PIVKey with a different CA, see the instructions for the CA. For authentication or signing certificates, we recommend that you use a CA enrollment agent that supports generating the Cryptographic keys on the PIVKey, rather than loading the keys into the card after the fact.

You can also manually load certificates using the vSEC_CMS utility, or the Windows "Certutil" utility.

If you are not using the PIVKey Certificate OIDs for mapping, make sure to run the PIVKey tool to map certificates if needed as described above.
 
Change the default Admin Key and end User PIN

For test cards we recommend that you do not change the default Admin key. If you do change it make sure you store the key. You will need it if you block the card by entering the wrong user PIN too many times.

For production cards you must change the default Admin Key and User PIN prior to issuing the card to the end user.

To change the Admin Key you can use the vSEC-CMS utility, or the PIVKey Tool.  At this time we do not recommend using both, see Incorrect Admin Key

Example command to change Admin Key:  pivkeytool.exe --changeadminkey "111111111111111111111111111111111111111111111111" --adminkey "000000000000000000000000000000000000000000000000"

The default Admin Key is: "000000000000000000000000000000000000000000000000" The key is forty eight (48) zeroes which represent 24 HEX bytes.

Variables:
--adminkey = the current admin key.
--changeadminkey = the new Admin Key.
 
If you plan to keep the Admin Key to be able to unblock the PIN, make sure you store the new Admin Key in a very secure place. Do not store the Admin Key in plain text on a networked system. Either print it out, or store it on a USB key.
 
If you are subject to audits of your security processes, or need very high security, consider using a Card Management system, or do not store the Admin Key at all. Instead use a random Admin Key for each card.  In this case, where the Admin Key is random and not stored, the PIVKey user PIN could not be unblocked.

To change the PIN you can use the PIVKey Tool as followed:

pivkeytool.exe --changepin "111111" --userpin "000000"

Variables:
--changepin = the new pin
--userpin = the current PIN, the default PIN is "000000".

You can also use the Versatile Security vSEC:CMS utility to change the user PIN and Admin Key.

For larger deployments we recommend that you use a Card Management System such as Microsoft Forefront Identity Manager, or Versatile Security CMS. This ensures the security of the keys, and the auditability of the processes.

WARNING: Authenticating with the wrong Admin Key will block the card after 5 tries. Make sure you verify you are using the correct Admin Key.

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk