3 Replies Latest reply on May 13, 2009 9:32 PM by SafeBoot

    PIV Card Question

    mwilke
      I got the new HSPD-12 PIV Cards working today but i just have one question. Is there an automatic or easy way for the PIV Card private key to be tied to the users AD Account?

      Today, in our test, we just exported the private key and imported it into the AD account of the user so that when the connector pulled the users UPN over it also pulled the "certificate"

      We dont want to manually export and import 170,000+ users private keys :)

      This is probably more of a Windows/AD question but didnt know if anyone on here works with PIV cards can shed some light on how you do it?
        • 1. RE: PIV Card Question
          if your public certs are not in a PKI then you have to do it the way you discovered - when we designed it, we kind of assumed anyone with a PKI would have their public keys in an LDAP or AD store (so other people could get to them etc).

          where did you export it from? If it was a LDAP server, just use the LDAP connector to import and provision the users?

          I know there's some talk of a new token which will allow your users to register their public key off their smart card on their machine themselves, you may want to discuss this with your account manager, but as I say, it does not exist yet.
          • 2. RE: PIV Card Question
            mwilke
            Ok, what we did is this. We used a software, i think ActiveSync, to export the public key... then manually imported it into AD.

            We have a software that will auto import this info into AD but its still in the works. This will be a non-issue in the next year or two but for now, we have a lot of folks that need to have their public keys imported and tied to their AD user names.

            didnt know if there was an easier way to do this rather than ... Insert PIV Card, open Software, Export Public Key, Manually import Public Key into AD profile of a user.
            • 3. RE: PIV Card Question
              I find it really strange that you've gone to all the effort to issue certs with smart cards, but don't have a public key server? Do you not use PKI to exchange data between users? I guess not if there's no way to look up someone's public key?