6.4 How do you manage derived certificates?

You can use MyID to manage the issued derived certificates using the standard MyID lifecycle management features; for example, you can revoke the certificates using the Cancel Credential workflow.

You can use the Derived Credentials Notification Listener to update MyID when the status of the original PIV card changes; for example, when the PIV card is canceled, you can use the API to inform the MyID system that the original card is no longer trusted, and MyID can revoke the derived credential. See the Derived Credentials Notifications Listener API guide for details.

For Intune, Microsoft recommend that replacement, renewed, or updated derived credentials are issued by canceling the existing derived credentials and repeating the process used to issue the credentials. For the certificates that are issued to your derived credentials, do not select a certificate policy that has the Automatic Renewal option set in the Certificate Authorities workflow.