2.12 Issuing smart cards that have PIV applets

Many of the smart cards and USB tokens that are supported by MyID contain a PIV applet; this applet is used to store certificates and information on the device, and is designed to support compliance with the Personal Identity Verification standards (FIPS 201-2) as laid down for federal agencies by the US Government.

To issue a PIV card that is fully compliant with the standards, you must use the PIV edition of MyID; however, if you have the non-PIV edition of MyID, you can issue these smart cards without having to comply fully with the US Government standards – this is sometimes referred to as CIV (Commercial Identity Verification).

To issue a card with a PIV applet, you must carry out the following:

  1. Set up a PIV 9B key for the credential type.

    This is sometimes known as the "management key".

    You must use the Key Manager workflow within MyID to add a factory PIV 9B Card Administration Key to the system. See the Managing keys section in the Administration Guide for details.

  2. Set up a GlobalPlatform key for the credential type.

    GlobalPlatform keys are required to carry out operations on some types of smart card.

    If your smart cards support GlobalPlatform keys, you must use the Manage GlobalPlatform Keys workflow to add a factory GlobalPlatform key. See the GlobalPlatform keys section in the Administration Guide for details.

  3. Set up a credential profile to specify a CIV-compatible card format.

    The card format determines which containers are available for certificates.

    In the Credential Profiles workflow, in the Device Profiles section, from the Card Format drop-down list select the following:

    • CivCertificatesOnly.xml

    You can then select containers for the certificates on the Select Certificates screen.

    See the Managing credential profiles section in the Administration Guide for details.

See the appropriate chapter of this guide for any specific requirements for your type of smart card; for example, some smart card types may require customer PIV 9B keys in addition to the factory PIV 9B key.

Note: If you require customized data in the PIV applet (for example, creating CHUID values, custom data, or signed data objects) contact your Intercede account manager to discuss your requirements.

Warning: PIV applets hold certificates in named containers. The Card Authentication (9E) container is designed for physical access control, so certificates within this container can be accessed without providing the user PIN, even over a contactless interface; you must ensure that the certificate contains only necessary information and does not expose cardholder details. If you do not have a suitable certificate policy, you are recommended to leave this container empty; do not assign a certificate policy to it when configuring the credential profile.