Try it out!
The first thing to do once you receive your PIVKey, is to test it as outlined in this article.
Note: You don't need to have PIVKey software installed yet! This should allow you to verify that your PIVKey is being read and that the user PIN is set to six zeros (you will have to enter it when prompted).
Your PIVKey is used for storing digital certificates. These certificates are most often used for things such as logon, digital signatures, and encryption. Certificates are requested from, and issued by, a Certificate Authority (CA).
PIVKey is designed to be set up on a Windows system using the PIVKey minidriver (download information is located here). It supports any Windows compatible Card Management System or can be set up directly using the Microsoft Windows Certificate Authority. That set of articles outlines how to create the Certificate Templates and request certificates to be loaded onto the PIVKey. It is assumed that these requirements are already met in your environment.
For an overview of the process of PIVKey deployment, see our PIVKey Deployment Overview. It discusses the decision of whether to map the certificates. Mapping the certificates to a PIV slot is required if the PIVKey will be used with a PIV interface, such as a Windows machine that does not have the PIVKey software installed. Mapping can be done via our command line tool after the certificate is on the PIVKey or set in the Certificate Template before the certificate is requested and issued.
PIVKey can be used with other Certificate Authorities and certificates can be imported onto the PIVKey via the command line Windows utility “certutil”. PIVKey can also be used for standalone computer logon.
PIVKey can be used on Linux or Mac OSX with the installation of middleware, however, for these environments PIVKey is read-only! The standard PIVKey admin tool on Windows must be used to load certificates to the card.
Using PIVKey with the Firefox browser also requires an additional PKCS11 component that supports the PIV interface. OpenSC is an open source package that can do so.
Finally, changing the user PIN and Admin Key are important measures to be taken before deploying the PIVKey for use. You can change the user PIN with the PIVKey command line tool or the VSEC_CMS_K2.0 utility that is provided with the PIVKey Admin Tools. An end user can customize the user PIN via Windows. The user PIN should be 6-8 digits.
The Admin Key can only be changed if you have the PIVKey Admin Tools installed. Keep the Admin Key recorded in a secure location as the security article explains if you want the option to unblock the user PIN in the future. For maximum security, randomize the Admin Key (VSEC_CMS_2.0 provides a randomize option) and do not store it at all. Be sure to read this Admin Key article to avoid inadvertently blocking the PIVKey.