2.3 Setting up the credential profile

If you do not want to map OIDs from the imported authentication certificate, you can create an Externally Issued (Only) credential profile to be used for the imported PIV card. This credential profile is also used if MyID cannot find a match for the OID in the mappings file.

See section 2.2, Mapping OIDs to credential profiles for details of setting up OID mappings.

To create the imported credential profile:

  1. From the Configuration category, select Credential profiles.
  2. Click New.

  3. Type a Name for the credential profile.

  4. In Card Encoding, select Externally Issued (Only).
  5. In Services, select MyID Logon.
  6. Click Next.

  7. On the Select Certificates screen, select an Unmanaged certificate profile.

    This certificate profile is used to contain the authorization certificate imported from the smart card.

    Note: You are strongly recommended to rename the Unmanaged policy to a name that indicates its use; for example, Imported PIV Card Authentication Certificate.

    If the unmanaged policy is already in use, MyID provides a second unmanaged policy called Unmanaged Imported; this policy is disabled by default, which means that you must enable it using the Certificate Authorities workflow. If both unmanaged policies are already in use, and you need further unmanaged policies, contact customer support quoting reference SUP-229 for assistance.

    Note: Do not use the unmanaged policy called Imported Authentication for this purpose.

  8. Select the Signing option for the Unmanaged certificate profile.

    Note: If the option to select the Signing box is not selectable, in the Certificate Authorities workflow, edit the Unmanaged CA, and set the Archive Keys option for the policy to Internal.

  9. Select the Authentication Certificate option from the Container drop-down list.

  10. Optionally, select certificates for the other three PIV containers:

    • PIV Card Authentication Certificate

    • PIV Digital Signature Certificate

    • PIV Key Management Certificate

    When MyID imports the card, it associates the certificates from those containers on the card with the selected certificate policies. If MyID is connected to the same CA that originally issued the certificates, it can then manage the imported certificates, including revoking them when using the Cancel Credential workflow.

    If you do not specify the certificate policies for the certificates in these containers, the certificates are imported as Unmanaged; MyID cannot manage these certificates.

  11. Click Next.
  12. Select the roles you want to be able to issue and receive this credential profile.
  13. Click Next and complete the workflow.