5.3 Issuing replacement cards

When you request a replacement card, the type of replacement depends on the reason the card needs to be replaced.

Certificates are treated differently, depending on whether they are archived, and whether the original certificates may have been compromised.

See section 6.5, Certificate reasons for details of what happens to the certificates in the various card replacement scenarios.

For temporary replacement cards, you are strongly recommended to set up a temporary replacement credential profile. See section 5.3.6, Temporary replacement credential profiles for details.

5.3.1 Issuing temporary replacement cards

You can use the Issue Temporary Replacement Card workflow to issue a temporary replacement card to a user; for example, if the user has forgotten their card.

If there is a _temp credential profile for the card being replaced, it is used automatically. If there is no _temp credential profile available, the same profile as the original card is used. See section 5.3.6, Temporary replacement credential profiles for instructions on creating a _temp credential profile.

To issue a temporary replacement card:

  1. From the Cards category, select Issue Temporary Replacement Card.
  2. Use the Find Person screen to search for the user to whom you want to issue a temporary replacement card.
  3. Select the user from the list.

  4. Select the reason you are issuing a temporary card, then type the Details.

    See section 6.5, Certificate reasons for details.

  5. Click Next.
  6. Insert the replacement card.
  7. Type the New PIN and confirm it.
  8. Click Next.
  9. Print the card, if necessary.

5.3.2 Requesting a replacement card

The Request Replacement Card workflow allows you to request a replacement card for yourself or for another user.

  1. From the Cards category, click Request Replacement Card.

  2. Choose whether the recipient of the new card will be Yourself or Another User, then click Next.

    Note: In the PIV version of MyID, you cannot request a replacement card for yourself, so this stage does not appear. On non-PIV systems, the Allow self requests configuration option (on the Self-Service page of the Security Settings workflow) must be set to allow a user to request a replacement card for themselves; if the user can also request a replacement card for another person, this stage appears.

  3. If you are requesting a replacement card for another user, use the Find Person screen to select the person.

    On non-PIV systems, to request a replacement card for another user, the operator must have a role that has the Choose Recipient option selected under Request Replacement Card entry in the Edit Roles workflow.

    Note: On non-PIV systems, if neither the Allow self requests configuration option nor the Choose Recipient role option have been selected, the operator cannot carry out any requests for replacement cards using this workflow.

    The cards assigned to the person are listed.

  4. Select the card you want to replace.

  5. Select a reason and provide Details for the card replacement, then click Next.

    See section 6.5, Certificate reasons for details.

    Note: If the Delayed Cancellation Period configuration option (on the Devices page of the Operation Settings workflow) is set to a value greater than 0, there is an additional reason available: Device Replacement (Delayed Cancellation). If you select this option, the device and its certificates are not canceled immediately, but are canceled after the number of hours specified in the configuration option.

The old card is canceled, and a job for a replacement card is created. The replacement card can be picked up using either the Collect My Card or the Collect Card workflow.

5.3.3 Permanent card replacement example

For a permanent replacement card, MyID issues a new card using the same profile as the old card.

The default behavior is as follows. Assuming that the card had two certificates, one of which was archived, the new card contains the following certificates:

The historic certificates allow you to decrypt any data encrypted with the original key.

MyID can determine whether archived or new encryption certificates are issued to a card based on the reason for the replacement; in situations when the card is still present, but is damaged or permanently blocked, MyID can issue archived encryption certificates instead of new certificates – the archived certificates are not revoked or suspended.

The behavior can be customized. Contact customer support for details.

5.3.4 Temporary card replacement example

For a temporary replacement card, MyID issues a new card.

If there is a _temp credential profile for the card being replaced, it is used automatically. If there is no _temp credential profile available, the same profile as the original card is used. See section 5.3.6, Temporary replacement credential profiles for details.

Assuming that the card had two certificates, one of which was archived, the new card contains the following certificates:

By default, no historic recovered certificates are written to temporary cards. You can change the number of recovered certificates using the options on the credential profile.

5.3.5 Replacing temporary cards

A temporary replacement card should be used only for a short time. Temporary cards can be replaced in the following situations:

5.3.6 Temporary replacement credential profiles

For temporary replacement cards, you are strongly recommended to set up a temporary replacement credential profile, to consider carefully who can receive the temporary card, to restrict its lifetime, and consider which certificates you want to include on it. If you do not specify a temporary replacement credential profile, the original credential profile is used instead – this may not be appropriate for your security policies.

You can specify an alternative credential profile to be used automatically for temporary replacement cards. Create a credential profile (see the Managing credential profiles section in the Administration Guide) and give it the name <profile>_temp. For example, if your permanent card is issued with the profile Employee, create the alternative profile with the name Employee_temp.

Note: Credential profile names are case-sensitive.

Set up this profile to issue a signing certificate – this does not have to be the same as the signing certificate on the original card. When the card is issued, you can recover any historic encryption certificates to the card. The original signing certificate is suspended.

When the forgotten card is found, the temporary card is canceled. This revokes the temporary signing certificate, unsuspends the original signing certificate, and leaves the encryption certificate active.

_temp credential profiles do not apply to permanent replacement cards.

See section 5.3.1, Issuing temporary replacement cards for details of the Issue Temporary Replacement Card workflow.