This article describes how to manage the PIVKey throughout the lifecycle of the device. It is useful for testing the device, as well as for planning a production system.
Make sure the PIVKey is up and working on your PC. See for example this article on testing the PIVKey.
Install the Administration Tools
Install the admin Installer on the enrollment station or server where the digital certificates will be loaded onto the card. If you are accessing the enrollment station via RDP, the installation must be on the server, not the client. The default PIVKey Admin Installer can be found on the PIVKey Admin Download Page.
If you want to use the Windows PIV minidriver, or any other PIV compatible middleware, the certificates must be available to the PIV smart card interface. In order to make Minidriver Certificates available to the PIV smart card interface, you will need to map the Minidriver Certificates and keys to the PIV certificates. This can be done in 2 ways.
Option 1: Run the PIVKey Tool to Map Certificates.
If you have a small deployment or cannot change the certificate template, the PIVKey Tool allows you to manually map certificates. If you have just one to three certificates, you can usually get by by running the following:
pivkeytool.exe --mapdefault --userpin "000000"
--userpin = the current User PIN.
For more information on Mapping Certificates see the article on Mapping Certificates using the PIVKey tool.
If you are deploying using the PIVKey minidriver, mapping the certificates is optional. However, if you don't map the certificates, they will not be visible using the PIV interface. If you want to use those certificates, you will have to install the PIVKey minidriver on every client machine you want to support.
Option 2: Assign the Certificate Mapping OID to the relevant CA Certificate Template.
The PIVKey Admin Minidriver parses the certificates, and recognizes the following PIVKey Specific OIDs:
|Certificate for Authentication (9A)||188.8.131.52.4.1.449184.108.40.206|
|Certificate for Digital Signature (9C)||220.127.116.11.4.1.44918.104.22.168|
|Certificate for Key Management (9D)||22.214.171.124.4.1.449126.96.36.199|
|Certificate for Card Authentication (9E)||188.8.131.52.4.1.449184.108.40.206|
When a certificate has the particular OID, the PIVKey Admin Minidriver recognizes that the particular certificate (and the associated key) belongs to a particular PIV slot and does the mapping accordingly. For more information see the Article on Mapping PIV Certificate using OIDs.
Enroll a Smart Card certificate on the card.
To manually request a certificate for PIVKey, run mmc.exe. Add the Certificate Snap In. Right click on the "Personal" directory and select "Request New Certificate".
For bulk issuance, you can use Windows Certreq.exe.
To use the PIVKey with a different CA, see the instructions for the CA. For authentication or signing certificates, we recommend that you use a CA enrollment agent that supports generating the Cryptographic keys on the PIVKey, rather than loading the keys into the card after the fact.
You can also manually load certificates using the vSEC/CMS utility, or the Windows "Certutil" utility.If you are not using the PIVKey Certificate OIDs for mapping, make sure to run the PIVKey tool to map certificates as described above.
For test cards we recommend that you do not change the default Admin key. If you do change it make sure you store the key. You will need it if or when you block the card.
For production cards you must change the default Admin Key and User PIN prior to issuing the card to the end user.
To change the Admin Key you can use the vSEC-CMS utility, or the PIVKey Tool:
The default Admin Key is: "000000000000000000000000000000000000000000000000" The key is forty eight (48) zeroes which represent 24 HEX bytes.
--adminkey = the current admin key.
To change the PIN you can use the PIVKey Tool as followed:
pivkeytool.exe --changepin "111111" --userpin "000000"
--changepin = the new pin
--userpin = the current PIN, the default PIN is "000000".
You can also use the Versatile Security vSEC:CMS utility to change the user PIN and Admin Key.
For larger deployments we recommend that you use a Card Management System such as Microsoft Forefront Identity Manager, or Versatile Security CMS. This ensures the security of the keys, and the auditability of the processes.
WARNING: Authenticating with the wrong Admin Key will block the card after 5 tries. Make sure you verify you are using the correct Admin Key.