| layout | title | permalink |
|---|---|---|
default |
PIV, Derived PIV, and PIV-I Authentication Certificate Profile |
profiles/allpivauth3/ |
AS OF 12/20/2017 11:56 AM
Original intro: This profile specifies the unique settings required for X.509 PIV Authentication and Derived PIV Authentication certificates issued under the Common Policy CP,1 as well as PIV-I Authentication certificates issued under the FBCA CP.2 (For standard, detailed certificate information, see the ITU-T X.509 Recommendation3 and RFC 52804.)
New intro This combined profile specifies the unique settings for these 3 certificate types:
- PIV Authentication X.509 certificates issued under the Common Policy CP,1
- Derived PIV Authentication X.509 certificates issued under the Common Policy CP
- PIV-I Authentication X.509 certificates issued under the FBCA CP.2
(For standard, detailed certificate information, see the ITU-T X.509 Recommendation3 and RFC 52804.)
Treceability Matrix for PIV, Derived PIV, and PIV-I Authentication Certificate Profiles - Current Profile and Deprecated Versions
This profile supersedes 3 previously published profiles:
| Current Profile Number | Deprecated Certificate Profile Policy and Worksheet Number |
Deprecated Profile Worksheet |
|---|---|---|
| 1 | SSP 9{:target="_blank"}5 | PIV Authentication |
| 1 | SSP 11{:target="_blank"} | Common Derived PIV Authentication |
| 1 | PIV-I 5{:target="_blank"}6 | PIV-I Authentication |
| Field | Value |
|---|---|
| Version | V3 |
| Serial Number | Must be a unique, positive number. |
| Issuer Signature Algorithm | One of the following: sha256WithRSAEncryption {1.2.840.113549.1.1.11} ecdsa-with-SHA256 {1.2.840.10045.4.3.2} ecdsa-with-SHA384 {1.2.840.10045.4.3.3} ecdsa-with-SHA512 {1.2.840.10045.4.3.4} |
| Issuer | Unique X.500 Issuing CA Distinguished Name (DN). PrintableString encoding should be used whenever possible for Issuer and Subject DNs. |
| Validity Period | No longer than 3 years from date of issue. Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter. |
| Subject | For PIV and Derived PIV certificates, must use a name form specified in the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework (aka, Common Policy CP), Section 3.1.1. For PIV-I, must use a name form specified in the X.509 Certificate Policy for the Federal Bridge Certification Authority. PrintableString encoding should be used whenever possible for Issuer and Subject DNs. |
| Subject Public Key Information | For RSA, must be at least 2048 bit modulus, rsaEncryption {1.2.840.113549.1.1.1}. For ECC, implicitly specify parameters through an OID associated with a NIST-approved curve referenced in NIST SP 800-78-4.7 |
| Signature | sha256WithRSAEncryption {1.2.840.113549.1.1.11} or ECDSA with appropriate hash. |
- These mandatory extensions are common to all PIV, Derived PIV, and PIV-I Authentication certificates.
| Mandatory Extension |
Critical | Value |
|---|---|---|
| Key Usage | True | digitalSignature. NonRepudiation is NOT allowed. |
| Authority Information Access | id-ad-caIssuers {1.3.6.1.5.5.7.48.2} access method entry that contains HTTP URI for .p7c file containing certificates issued to Issuing CA. id-ad-ocsp {1.3.6.1.5.5.7.48.1} access method entry that contains HTTP URI for the Issuing CA OCSP Responder. OCSP is required. |
|
| Subject Key Identifier | Octet string | |
| CRL Distribution Points | This extension must appear in all certificates and include at least one HTTP URI to a file containing a DER-encoded CRL with a file type of application/pkix-crl. This profile prohibits CRLs segmented by reason code; therefore, omit the reasons and cRLIssuer fields. |
|
| Authority Key Identifier | Octet string (same as Subject Key Identifier in Issuing CA certificate). |
- These mandatory extensions have unique values for PIV, Derived PIV, and PIV-I Authentication certificates.
| Mandatory Extension |
Critical | PIV Value | Derived PIV Value | PIV-I Value |
|---|---|---|---|---|
| Certificate Policies | Applicable certificate policy: id-fpki-common-authentication {2.16.840.1.101.3.2.1.3.13} |
Applicable certificate policy: id-fpki-common-derived-pivAuth {2.16.840.1.101.3.2.1.3.40} id-fpki-common-derived-pivAuth-hardware {2.16.840.1.101.3.2.1.3.41} |
Applicable certificate policy: id-fpki-certpcy-pivi-hardware {2.16.840.1.101.3.2.1.3.18} |
|
| Subject Alternative Name | Must include FASC-N name form and, after October 15, 2015, must also include a UUID. The FASC-N specifies the FASC-N of the PIV card that contains the corresponding PIV Authentication key. Any additional name types may be present. Other names may be included to support local applications. |
Must include a UUID. Any additional name types may be present. Other names may be included to support local applications. |
Must include a UUID that contains the UUID from the CHUID of the PIV-I card encoded as a URI, as specified in RFC 4122,8 Section 3. Any additional name types may be present. Other names may be included to support local applications. |
|
| PIV Interim | piv-interim indicator {2.16.840.1.101.3.6.9.1} is defined in FIPS 201-2, Appendix B.2, as PIV NACI indicator. The value of this extension is asserted as follows: 1. TRUE if, at the time of credential issuance: (1) the FBI National Criminal History Fingerprint Check has been completed successfully, and (2) an NACI has been initiated but has not been completed. 2. FALSE if, at the time of credential issuance, the subject’s NACI has been completed and successfully adjudicated. |
Same value as for PIV. |
These Optional extensions apply to all PIV, Derived PIV, and PIV-I Authentication certificates.
| Optional Extension |
Critical | Value |
|---|---|---|
| Extended Key Usage | True | If included to support specific applications, this extension should be non-critical. The following values for keyPurposeID should be included: Microsoft Smart Card Logon; however, if the private key is not on a smart card, do not include the EKU for Microsoft Smart Card Logon. TLS Client Authentication pkinit-KPClientAuth Additional key purposes may be specified: TLS Client Authentication {3.6.1.5.5.7.3.2} id-pkinit-KPClientAuth {3.6.1.5.2.3.4} id-kp-secureShellClient {3.6.1.5.5.7.3.21} The keyPurposeID value may be implemented as needed by the subscriber. |
| Subject Directory Attributes | This extension may be included to indicate the cardholder's country or countries of citizenship, as specified in RFC 5280. countryOfCitizenship {1.3.6.1.5.5.7.9.4} ISO 31669 specifies country codes. |
|
| Issuer Alternative Name |
1. X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework, v1.27, June 29, 2017.
2. X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA), Version 2.31, June 29, 2017
3. ITU-I X.509 Recommendation (October 2016).
4. RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, David Cooper, Stefan Santesson, Stephen Farrell, Sharon Boeyen, Russell Housley, and Tim Polk (May 2008).
5. X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for the Shared Service Providers (SSP) Program) (July 17, 2017).
6. X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for Personal Identity Verification Interoperable (PIV-I) Cards, July 17, 2017.
7. NIST SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, W. Timothy Polk, Donna F. Dodson, William E. Burr, Hildegard Ferraiolo, and David Cooper (May 2015).
8. RFC 4122, A Universally Unique Identifier (UUID) URN Namespace, P. Leach, M. Mealling, and R. Salz (July 2005).
9. ISO 3166, Codes for the representation of names of countries and their subdivisions — Part 1: Country codes (November 15, 2013).