This section is normative. It defines the processes and components required for managing a PIV Card’s lifecycle and provides the requirements and specifications related to key management.
PIV Cards consistent with this specification SHALL have two or more asymmetric private keys. To manage the public keys associated with the asymmetric private keys, departments and agencies SHALL issue and manage X.509 public key certificates as specified in this section.
CAs that issue certificates to support PIV private keys SHALL participate in the hierarchical PKI for the Common Policy managed by the Federal PKI Management Authority.
CA certificates SHALL conform to [COMMON].
All certificates issued to support PIV private keys (i.e., PIV authentication, card authentication, digital signature, and key management certificates) SHALL be issued in accordance with [COMMON]. CAs and registration authorities can either be operated by departments and agencies or be outsourced to PKI service providers. For a list of PKI service providers that have been approved to operate under [COMMON], see https://www.idmanagement.gov.
Details of the cryptographic properties of PIV keys are found in Section 4.2.2 and its subsections.
The required contents of X.509 certificates associated with PIV private keys are based on [PROF]. The relationship is described below:
id-fpki-common-authentication policy of [COMMON] in the certificate policies extension
(Section 4.2.2.1).id-fpki-common-cardAuth policy of [COMMON] in the certificate policies extension
(Section 4.2.2.2).id-fpki-common-hardware policy of [COMMON] in the certificate policies
extension (Section 4.2.2.4), except as provided below.id-fpki-common-policy or id-fpki-common-hardware policy of [COMMON] in the certificate policies extension
(Section 4.2.2.5), except as provided below.The expiration date of the PIV authentication and card authentication certificates SHALL NOT be after the expiration date of the PIV Card. The expiration date of the PIV Card is printed on the card in Zone 14F (see Section 4.1.4) and is contained in the CHUID data object (see Section 4.2.1). If the card is revoked, the PIV authentication and card authentication certificates SHALL be revoked in cases where the card cannot be collected and destroyed. However, a PIV authentication or card authentication certificate MAY be revoked and subsequently replaced without revoking the PIV Card. The presence of a valid, unexpired, and unrevoked authentication certificate on a card is sufficient proof that the card was issued and is not revoked.
CAs that issue certificates corresponding to PIV private keys SHALL issue CRLs as specified in [COMMON]. The contents of X.509 CRLs SHALL conform to CRL Profile in [PROF].
The content of this section has been removed. Details for certificates issued to support PIV private keys are specified in Section 5.2.
CAs that issue certificates corresponding to PIV private keys (i.e., PIV authentication, card authentication, digital signature, or key management certificates) SHALL
PIV authentication, card authentication, digital signature, and key management certificates SHALL
crlDistributionPoints extension needed to locate CRLs, andauthorityInfoAccess extension needed to locate the authoritative OCSP responder.Departments and agencies SHALL notify CAs when certificates need to be revoked.
This Standard requires the distribution of CA certificates and CRLs using HTTP. Specific requirements are found in [PROF].
Certificates that contain the FASC-N or card UUID in the SAN extension, such as PIV authentication certificates and card authentication certificates, SHALL NOT be distributed publicly (e.g., via HTTP accessible from the public internet). Individual departments and agencies can decide whether digital signature and key management certificates can be distributed publicly by the CA.
OCSP status responders SHALL be implemented as a certificate status mechanism. The OCSP status responders SHALL be updated at least as frequently as CRLs are issued.