3.4 PIV card post-issuance update

MyID can update a PIV card after the initial issuance in the following ways:

• Update the certificates on the card.

• Reprovision the electronic content of the card.

• Reinstate the card after incorrect cancellation.

• Recover additional certificates onto the card.

• Certificate rekey (renewal).

3.4.1 Update the certificates on the card

You can an update the certificates on the card using the Request Update option on the View Device screen followed by the Collect Updates option; see the Requesting an update for a device and Updating a device sections in the MyID Operator Client guide

This allows a cardholder to receive an update to the latest version of the assigned credential profile, or to a new credential profile that they are permitted to receive.

This operation does not amend any electronic data held in the PIV applet other than certificates – that is, the FASC-N, CHUID, printed information and biometrics are unchanged. Updates to the card take place over a secure channel in accordance with FIPS 201-3.

The cardholder must enter their PIN to collect the update. You can also configure MyID to require biometric authentication – the Verify fingerprints during card update option, on the Biometrics tab of the Operation Settings workflow, controls this.

3.4.2 Reprovision and reinstatement

Reprovision allows the electronic data on the card to be rewritten. This is useful where the certificate policies have been amended or change is required to the electronic data on the card.

You can reprovision cards using the Reprovision Card and Reprovision My Card features.

• Reprovision My Card is intended for cardholders to reprovision their own cards; you may not want to allow this for all users. You can control access by creating an additional role, giving it access to the Reprovision My Card workflow, and assigning the role to the cardholders you want to be able to reprovision their own cards.

  See the Reprovisioning cards section in the Operator's Guide.

• Reprovision Card is intended for operators to reprovision a card belonging to someone else. Operators can reprovision cards belonging only to users who are within their scope.

  See the Reprovisioning a device section in the MyID Operator Client guide

If you cancel a card by mistake, issuing a new card may be difficult or time consuming. Instead, you can use the Reinstate Card option to return the canceled card to an active state; see the Reinstating a device section in the MyID Operator Client guide

If the card is reinstated using an activation job, the credential profile settings for Require fingerprints at Issuance will be honored.

If the card is reinstated using an update job, the user must authenticate to MyID first. The Verify fingerprints during card update option on the Biometrics tab of the Operation Settings workflow determines whether fingerprint verification is used.

You cannot reprovision or reinstate a card where:

• The signing certificate or biometric data of the user account will expire within the lifetime of the card.

• The user account does not have User Data Approved and this is required by the latest version of the credential profile.

Notes:

• Card printing cannot be performed using this operation (as the card has already been printed).

• New certificates are issued, as they have been revoked at cancellation.

• Depending on how your system is set up, archived certificates are recovered to the card and stored in the key history containers.

• By default, it does not allow the FASC-N or UUID to be rewritten to the card: the original values will be re-added. For more information, see section 5.11, Preserving FASC-N and UUID.

If the User Data Approved flag has been unset on the user account, the workflow cannot personalize the card. If you change the user data in an external system that provides data to MyID using the Lifecycle API, you must unset the User Data Approved flag while the user undergoes the re-enrollment process.

If the user's data has been amended after the initial issuance, and data that appears on the printed surface of the PIV card has been modified, the electronic data within the card would become out of step with the printed surface.

3.4.3 Recover additional certificates onto the card

You can recover certificates and their associated private keys onto a smart card in the following scenarios:

• Self-service key recovery:

  • Automated key recovery.

  • End user selects certificates to recover.

• Recovery on to another person’s card.

• Recovery for investigation.

Note: When you recover certificates to a PIV card, all retired certificate containers are overwritten. This affects any smart card with a PIV applet.

3.4.3.1 Self-service key recovery

A cardholder can use the Recover My Certificates workflow to select certificates to recover to their card. When recovery takes place, all key history containers on the card are rewritten – this will wipe previous content on the card. If MyID is configured to do so, the key history containers are overwritten when automated key recovery takes place.

Note: Fingerprint verification is required for all self-service operations.

Based on configuration in MyID, certificates (from any assigned card) are automatically recovered on to their card in the following cases:

• Reprovisioning a card.

• Reinstating a card.

• Updating a card.

• Replacing a card.

The options that affect this functionality are determined by the certificate options in the credential profile.

See the Recovering your own certificates section in the Operator's Guide for details.

3.4.3.2 Recovery on to another person’s card

MyID allows you to recover certificates onto another person's smart card. Typically this is used when the certificate owner requires another trusted person to deputize for them (and therefore requires encryption certificates to be shared).

It can also be used by a MyID operator to recover certificates to the PIV cardholder's issued card where they cannot fulfill the biometric verification requirements of the self-service operations. Use the Authenticate Person option to create an audited authentication of the PIV cardholder.

Use the Recover Certificates workflow to recover the certificates. The smart card used must be in an issued state, and existing key history containers on the card will be erased.

3.4.3.3 Recovery for investigation

When certificates are to be recovered for investigative purposes, a strictly controlled business process must be enforced, ensuring that multiple people are involved who hold the required permissions and the process is fully audited.

MyID allows you to generate a request, including identifying the user account which must collect the request. The request itself uses a specific credential profile for this purpose, which ensures that only recovered certificates are written to the card. The PIN may also be set to a random generated value, which is hidden from the collector, and sent to an email address identified in the request.

See the Key recovery section of the Administration Guide for details.

3.4.4 Certificate rekey (certificate renewal)

The MyID certificate renewal process generates a new key pair (rekey) as defined by FIPS 201-3.

MyID can automatically generate jobs as certificates approach their expiry date. When you collect the job, MyID replaces the original certificate with a newly issued certificate. At the point of issuing the certificate, the latest data from the user account is used in the certificate request.

The original certificate policy may have been superseded by a new policy, which are used instead. See the Superseding certificate policies section of the Administration Guide.

This process does not alter any content of the PIV applet (for example, the FASC-N, CHUID, or printed information).