24.1 Additional identities overview

The process for issuing additional identities is as follows:

1. Set up one or more certificate policies for additional identities.
2. Set up one or more credential profiles that allow additional identities.
3. Add up to ten additional identities from the LDAP to a user, specifying which additional identity certificate to use for each identity.
4. Request a card for the user using an additional identity credential profile.
5. Issue a card to the user – this card will contain, in addition to the standard certificates tied to the user's account, a certificate for each of the additional identities.

24.1.1 Renewing additional identities

You can renew certificates issued as additional identities; see section 6.6, Certificate renewal for details.

Note, however, that in previous versions of MyID, you could not renew additional identity certificates. If you have additional identity certificates issued in versions of MyID earlier than 12.3, the workaround options are as follows:

• You can revoke the additional identity certificates using the Issued Certificates workflow, then update the device – new additional identity certificates will be issued.

  You can request updates using the Request Card Update workflow in MyID Desktop, or the cardholder can use the Self-Service App if the self-Service device update feature is enabled; see the Self-service device update section in the Self-Service App guide.

• Reprovision the device, causing all certificates on the device to be re-issued.

For further assistance with this, contact Intercede customer support quoting reference SUP-358.

24.1.2 Additional identities on devices with PIV applets

If you want to issue additional identities to devices with PIV applets, you must have a Windows minidriver installed to make the certificates available for uses such as Windows logon. MyID has been tested issuing additional identities with the following:

• Yubikey devices in conjunction with the Yubikey minidriver.

  See the Additional identities for YubiKey tokens section of the Smart Card Integration Guide.

• IDEMIA PIV cards using the IDEMIA minidriver.

  See the Additional identities for IDEMIA PIV cards section of the Smart Card Integration Guide.

Note: You must use the CivCertificatesOnly.xml card format (from the Card Format drop-down list on the Device Profiles section of the Credential Profiles workflow) to issue your devices if you want to issue additional identities.