Deactivation of card authentication users

2.15 Deactivation of card authentication users

PIV Card Authentication certificates are usually issued to a different subject DN than other certificates, which is formed from the card FASC-N or GUID. As a result, the Entrust PKI creates an additional user account for this subject. The MyID Entrust PKI connector deactivates this additional account when card authentication certificates are revoked.

The account is deactivated if:

The certificate being revoked was issued to the PIV Card Authentication container (5FC101).
The certificate was issued to a subject that is not the user's main Distinguished Name – the value is normalized to take whitespace into account.

If you want to disable this functionality, you can do so by creating a DWORD registry value named DeactivateCardAuthUser in:

HKEY_LOCAL_MACHINE\SOFTWARE\Intercede\Edefice\Connector\EntrustJTK

and setting it to 0.

If this is non-zero or the registry value is not present, then users are not deactivated.

To handle card reprovision events, if MyID attempts to issue a new certificate to an Entrust user who is deactivated, the user is reactivated.