2.15 Deactivation of card authentication users
PIV Card Authentication certificates are usually issued to a different subject DN than other certificates, which is formed from the card FASC-N or GUID. As a result, the Entrust PKI creates an additional user account for this subject. The MyID Entrust PKI connector can deactivate this additional account when card authentication certificates are revoked.
If you want to deactivate the additional account, set the Deactivate Card Auth user in Entrust option (on the Certificates page of the Operation Settings workflow) to Yes. The account is deactivated if:
-
The certificate being revoked was issued to the PIV Card Authentication container (5FC101).
-
The certificate was issued to a subject that is not the user's main Distinguished Name – the value is normalized to take whitespace into account.
To handle card reprovision events, if MyID attempts to issue a new certificate to an Entrust user who is deactivated, the user is reactivated.