Details of a PIV Credential
This section will help you view the information stored on the PIV credential. We identify the simple methods for:
Viewing your PIV credential certificates
Almost all the methods for using your PIV credential for networks, applications, digital signatures and encryption is using the certificates and key pairs stored on your PIV credential. There are scenarios where the additional information such as biometrics are accessed and used. We will cover how to view the information for these additional scenarios and for developers in a set of Developer Guides.
To view your certificate information:
- Insert your PIV credential in your card reader.
- Choose an option from the table below and follow the steps.
|Microsoft||Internet Explorer Browser or Edge Browser||Open Internet Explorer Browser -> Settings -> Internet Options -> Choose Content tab -> Certificates -> Choose Personal tab|
|Microsoft||Microsoft Management Console (MMC) and Certificate Snap-in||Open Microsoft Management Console -> File -> Add/Remove Snap-In -> Select Certificates snap-in -> Add -> My user account -> Finish -> Expand Certificates - Current User -> Select Personal -> Select Certificates|
|Any||Chrome Browser||Open Settings -> Show Advanced Settings -> HTTPS / SSL: Manage Certificates -> Choose the Your Certificates tab|
|Any||Firefox Browser||Open Menu -> Preferences -> Advanced -> Choose Certificates tab -> View Certificates -> Choose the Your Certificates tab|
|MacOS X||Key Chain||Open Applications -> Utilities -> Keychain Access -> Select Login -> From Categories, select My Certificates|
You may see many certificates. To open and view the certificate details, double-click on any certificate.
Exporting PIV Certificates
We won’t always be using graphical user interfaces to view the PIV credential certificates. Throughout the guides, we’ll be adding examples of code, tools and common command line options for viewing and troubleshooting configurations. The examples may use files representing the public certificate(s).
Look for an Export button and save the file as DER or PEM encoded, with a file extension of cer (.cer).
Keys are safe!
Don't worry - the public certificates are public. The private keys are always stored safely on your PIV credential and can never be exported.
Understanding PIV Certificates
Viewing the certificate information on your PIV credential may be interesting if you are a general user. Understanding the certificate information is a must if you are a program manager or engineer developing applications and designing solutions for using PIV credentials.
Within the US Federal Government, the certificate information and the PIV credential information is governed by Standards, Policies, and implementation specific choices (options) across all agency credential providers.
There are four pairs of certificates and key pairs on a PIV credential. One pair is ALWAYS on every PIV credential and three pairs are SOMETIMES on a PIV credential. You can review the basics of a PIV Credential to view the four pairs and purposes.
The table below outlines the general information for the PIV credential certificates, certificate extensions, and design considerations. All information is presented in human-readable formats.
PIV credentials and certificates have changed over time due to updates in standards. Since users may have credentials for up to six years and there are both optional and mandatory elements, the information presented is what is valid for ALL PIV credentials and certificates currently in use.
|Certificate||Required||Key Usage||Extended Key Usage||Subject Alternative Name||Considerations|
|PIV Authentication||Always||Digital Signature||Client Authentication||otherName = FASC-N; uniformResourceIdentifier = UUID; Principal Name = prefix@suffix||Principal Name values are not required by Policy to be present in all Subject Alternative Name extensions. The Card UUID value is only required to be present for new or replacement PIV credentials issued after August 2014. The Card UUID may also commonly be referred to as the Global Unique Identifier (GUID).|
|Card Authentication||Sometimes||Digital Signature||id-PIV-cardAuth||Name = FASC-N; uniformResourceIdentifier = UUID||Card Authentication is required to be included in new and replacement PIV credentials issued after August 2014; it is not expected that all PIV credentials will have Card Authentication certificates until September 2019. The Card UUID value is only required to be present for new or replacement PIV credentials issued after August 2014. The Card UUID may also commonly be referred to as the Global Unique Identifier (GUID).|
|Digital Signature||Sometimes||Digital Signature, Non-Repudiation||none required||rfc822name = email address||Email address is not required by Policy. Email address may be multi-valued attributes and include email aliases.|
|Encryption||Sometimes||Key Encipherment||none required||rfc822name = email address||Email address is not required by Policy. Multiple encryption certificates may be available representing the historical encryption key pairs available.|
Additional useful information:
- All key pairs for users are 2048 bit (RSA) keys
- All certificates issued and certified as PIV are SHA-2 signed
- If you are working with Common Access Cards, you may still encounter SHA-1 signed
- There has been testing in some infrastructures to migrate to Elliptic Curve Cryptography (ECC), but there are no ECC certificates for users in production as of the date of this guide
- There has been testing in some infrastructures for migration to 3072 bit (RSA) certificates, but there are no 3072 bit certificates for users in production as of the date of this guide
In-depth details on the certificate profiles are contained in the current and historical Federal Public Key Infrastructure (FPKI) Policy documents. This table contains links to the most recent documents:
|Certificates||Policy Update Date||Link to Profile Information|
|PIV Certificates||May 5, 2015||Worksheets 5, 6, 8 and 9 in this document|
|PIV Interoperable Certificates||May 5, 2015||Worksheets 4, 5, 6, and 7 in this document|