25.1 Additional identities overview

The process for issuing additional identities is as follows:

1. Set up one or more certificate policies for additional identities.
2. Set up one or more credential profiles that allow additional identities.
3. Add up to ten additional identities from the LDAP to a user, specifying which additional identity certificate to use for each identity.
4. Request a card for the user using an additional identity credential profile.
5. Issue a card to the user – this card will contain, in addition to the standard certificates tied to the user's account, a certificate for each of the additional identities.

25.1.1 Renewing additional identities

You can renew certificates issued as additional identities; see section 6.6, Certificate renewal for details.

Note, however, that in previous versions of MyID, you could not renew additional identity certificates. If you have additional identity certificates issued in versions of MyID earlier than 12.3, the workaround options are as follows:

• You can revoke the additional identity certificates using the Issued Certificates workflow, then update the device – new additional identity certificates will be issued.

  You can request updates using the Request Card Update workflow in MyID Desktop, or the cardholder can use the Self-Service App if the self-Service device update feature is enabled; see the Self-service device update section in the Self-Service App guide.

• Reprovision the device, causing all certificates on the device to be re-issued.

For further assistance with this, contact Intercede customer support quoting reference SUP-358.

25.1.2 Additional identities on devices with PIV applets

If you want to issue additional identities to devices with PIV applets, you must have a Windows minidriver installed to make the certificates available for uses such as Windows logon. MyID has been tested issuing additional identities with the following:

• Yubikey devices in conjunction with the Yubikey minidriver.

  See the Additional identities for YubiKey tokens section of the Smart Card Integration Guide.

• IDEMIA PIV cards using the IDEMIA minidriver.

  See the Additional identities for IDEMIA PIV cards section of the Smart Card Integration Guide.

Note: You must use the CivCertificatesOnly.xml card format (from the Card Format drop-down list on the Device Profiles section of the Credential Profiles workflow) to issue your devices if you want to issue additional identities.

25.1.3 User SIDs in additional identities

When MyID adds an additional identity, it captures the user SID of the additional identity, which is required for Windows authentication. For information on user SIDs, see section 6.9, Including user security identifiers in certificates

Versions of MyID before MyID 12.6 did not capture the user SID for additional identities. As there is no way to synchronize additional identities with your directory to obtain this information, if you want to include the user SID in existing additional identities so that it can be incorporated into additional identity certificates, you must remove each additional identity that does not have a user SID and add it again from the directory.

To determine which additional identities are affected, you can view a list of additional identities, including the user SID for each additional identity where present, using the Additional Identities (AID) report in the MyID Operator Client; see the Additional Identities (AID) report section in the MyID Operator Client guide.