2.13 Certificates with mandatory NACI values

On PIV systems, you can configure your certificate policies to make the NACI value mandatory (the piv_interim attribute, known as interim_indicator in Entrust). This is typically required for the PIV Authentication and PIV Card Authentication certificates. When MyID adds the user to Entrust, it includes the user's NACI value.

Note: This is relevant for PIV systems only. Users in MyID Enterprise systems do not have NACI values.

MyID makes sure to provide the user's captured NACI/interim_indicator value when it adds the user to Entrust.

Previously, you were recommended to use an optional setting, which means that while MyID would still encode the value for certificate submission, it did not need to provide it at the point of adding the user; typically the Card Authentication DN where MyID creates a new user for each issuance.

MyID now provides the captured value both as part of the user addition and the submission, whether its TRUE for incomplete or FALSE for NACI complete at both steps.

For most deployments that use the existing recommended optional interim_indicator value, this change makes no difference. For sites that want to use the now-deprecated NACI value in Card Authentication certificates, you can now use a mandatory interim_indicator.

If the MyID administrator does not configure a user attribute for use in NACI submissions, the certificate issuance will still fail and report error -8120; the change here is merely to provide it earlier in the Entrust user creation sequence, not create a value where none is present.

Note: If the CA being used has optional NACI configured, for a user without a NACI set and depending on the order that the certificates are issued, you may see the Card Authentication or PIV Authentication certificate be successfully issued before the issuance process fails and the certificates are then subsequently revoked.