PIV Settings

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

Follow instructions in this article which will explain the settings that can be configured from the Options - PIV page.

Important
The settings configured here are global which means that any PIV credential that vSEC:CMS manages will apply these settings.
Important
Please note the following: It is not possible to manage an iris object on a PIV credential. This feature is not yet fully implemented in vSEC:CMS. Currently vSEC:CMS will encode a fixed hard coded value to this object; It is not possible to manage a fingerprint object on a PIV credential. This feature is not yet fully implemented in vSEC:CMS. Currently vSEC:CMS will encode a fixed hard coded value to this object; It is not possible to manage a photo object on a PIV credential. This feature is not yet fully implemented in vSEC:CMS. Currently vSEC:CMS will encode a fixed hard coded value to this object; It is not possible to import root CA certificates onto the smart card. This is a feature of the PIV smart card; There is no default key container on the smart card. This is a feature of the PIV smart card;
  • For the management of Oberthur tokens and tokens that use OpenPIV applet it will be necessary to have knowledge of the card manager key for those tokens. This will be required for secure messaging when operating on these tokens.

PIV Card Object Signing

In this section you can configure the certificate that can be used to sign PIV objects if that is required in your environment. The following PIV objects, as per the PIV specification, will be signed:

  • CHUID: OID=2.16.840.1.101.3.7.2.48.0;
  • SecurityObject (SO): OID=2.16.840.1.101.3.7.2.144.0.
Important
Signing of PIV objects will not be required in all circumstances therefore this feature should only be used if it is required to use the PIV credential with components that require these PIV credential objects to be signed.

Uncheck Disable PIV card object signing checkbox if PIV object signing is to be performed. vSEC:CMS will then search the local certificate store of the Windows user account that you are logged into the host with and populate the drop-down list with all certificates it finds. Select the appropriate certificate specific for this task from this list.

Enable Signing by service if it is required that a signing certificate available to the current vSEC:CMS service should be used. This is the recommended way to perform the signing of PIV objects if this feature is going to be used. A signing certificate in this case will need to be available to the vSEC:CMS service. It is possible to configure a signing certificate through Windows MMC. Below are guideline steps on how this can be done.

1. Open up MMC on the server where the vSEC:CMS is running. From File - Add/Remove Snap-in select Certificates and click Add.

2. Select Service account radio button and click Next and Next again. From the service account list select vSEC:CMS Service and click Finish.

3. Expand vSEC:CMS Service\Personal and right click Certificates and select All Tasks - Import to import a signing certificate that can be used or use the Advanced Operations to generate a certificate request that can be used. It is out of scope of this article to describe how to issue such certificates. Please consult your PKI team for assistance with this.

Enable Check certificate validity before signing check box if it is required to check the validity on the signing certificate before signing the card object. Enable the Stop card issuance before expiry date check box and enter the number of days before the signing certificate is to expire if it is required to not issue the smart card if the signing certificate meets the criteria configured. Enable the Warn before stop check box and enter the number of days before the stop criteria become valid such that the operator will get a warning message during card issuance.

PIV Virtual Contact Interface

In this section you can configure settings which will allow for the Discovery Object, as specified in the PIV specification, to be encoded when a PIV credential is issued by vSEC:CMS. Enable Enable virtual interface (VCI) at smart card registration check box if it is required to set this object during issuance. Enable Pairing code is required to establish a VCI if this is required in your environment.

FASC-N Encoding

In this section it is possible to configure the settings that will be encoded onto the PIV credential for the FASC-N object as per the PIV specification. Click the Configure button to open the dialog from where the settings can be configured. Depending on your requirements select the appropriate configuration and settings and click Ok to save and close.

 

Note
The Credential number (CN) field will be randomly generated by vSEC:CMS. You will be able to determine how many of these have been already generated by vSEC:CMS. A CN will be generated every time a PIV credential is registered with vSEC:CMS.