2.7 Attribute mapping for PIV systems
For PIV systems, you must set up the attributes of the PIV certificate policies to have specific dynamic mappings.
Note: The FASC-N mapping is required for standard PIV cards, but is not permitted for PIV-I cards. The PIV Card Authentication certificate policy must not contain a mapping for Email.
2.7.1 Example attribute mapping for PIV systems
|
Certificate Policy |
FASC-N |
UUID |
NACI |
User Principal Name |
|
|---|---|---|---|---|---|
|
PIV Authentication |
FASC-N (Hex) |
UUID (ASCII) |
NACI Status |
User Principal Name |
Not Required |
|
PIV Card Authentication |
FASC-N (Hex) |
UUID (ASCII) |
NACI Status |
Not Required |
Not Required |
|
PIV Encryption |
Not Required |
Not Required |
Not Required |
Not Required |
Email (optional) |
|
PIV Signing |
Not Required |
Not Required |
Not Required |
Not Required |
Email (optional) |
2.7.2 Example attribute mapping for PIV-I systems
|
Certificate Policy |
FASC-N |
UUID |
NACI |
User Principal Name |
|
|---|---|---|---|---|---|
|
PIV Authentication |
Not Required |
UUID (ASCII) |
Not Required |
User Principal Name |
Not Required |
|
PIV Card Authentication |
Not Required |
UUID (ASCII) |
Not Required |
Not Required |
Not Required |
|
PIV Encryption |
Not Required |
Not Required |
Not Required |
Not Required |
Email (optional) |
|
PIV Signing |
Not Required |
Not Required |
Not Required |
Not Required |
Email (optional) |
2.7.3 Editing the attribute mappings
To edit the attribute mapping:
-
Within the Certificate Authorities workflow, select an enabled certificate policy.
-
Click Edit Attributes.
-
For each attribute, select one of the following options from the Type list:
- Not Required – the attribute is not needed.
- Dynamic – select a mapping from the Value list to match to this attribute.
- Static – type a value in the Value box.
- Click Save.