Version 2 Card certificates for use in Windows account mapping
Stephen Maiorca
Good Morning All,
I’m trying to find out where we can get the Version 2 certificates that match what is on the test cards for use in mapping to the test accounts in Windows Active Directory. I set this up 4 years ago with a cache of the certificates that were available to be loaded into AD to map to the cards, but I cannot seem to find a link to these certificates for the version 2 cards.
I’ve gone in loops through the https://csrc.nist.gov/projects/piv/nist-piv-test-cards site but cannot seem to find them. Could someone please direct me to where I can find them?
Thanks in advance!
Stephen Maiorca | Sr. Security Architect
17222 Von Karman Avenue - Irvine, CA 92614
MSIA | CISSP | ISSAP
This email message is intended for the use of the person to whom it has been sent, and may contain information?that is confidential or legally protected. If you are not the intended recipient or have received this message in error,?you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender?immediately by return e-mail and permanently delete this message and any attachments. DataBank makes no warranty that this email is error or virus free. DataBank, Ltd.
David A. Cooper
Good Morning All,
I’m trying to find out where we can get the Version 2 certificates that match what is on the test cards for use in mapping to the test accounts in Windows Active Directory. I set this up 4 years ago with a cache of the certificates that were available to be loaded into AD to map to the cards, but I cannot seem to find a link to these certificates for the version 2 cards.
I’ve gone in loops through the https://csrc.nist.gov/projects/piv/nist-piv-test-cards site but cannot seem to find them. Could someone please direct me to where I can find them?
Thanks in advance!
Stephen Maiorca | Sr. Security Architect
Stephen Maiorca
I was hoping to get the actual .cer certificates for each of the test cards that get manually mapped to the various accounts in AD. For the V1 cards, there were the certs with the private certs to be able to map to individual accounts for testing. Is there no set of those for the V2 cards?
Stephen Maiorca | Sr. Security Architect
17222 Von Karman Avenue - Irvine, CA 92614
MSIA | CISSP | ISSAP
This email message is intended for the use of the person to whom it has been sent, and may contain information?that is confidential or legally protected. If you are not the intended recipient or have received this message in error,?you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender?immediately by return e-mail and permanently delete this message and any attachments. DataBank makes no warranty that this email is error or virus free. DataBank, Ltd.
From: David A. Cooper <david....@nist.gov>
Sent: Monday, January 27, 2025 11:46 AM
To: Stephen Maiorca <smai...@databank.com>
Cc: piv-tes...@list.nist.gov
Subject: [EXTERNAL] Re: [piv-test-cards] Version 2 Card certificates for use in Windows account mapping
ATTENTION: This email was sent to your DataBank account from an external source. Please use extra caution before clicking links, opening attachments, or replying to or forwarding this email
David A. Cooper
I was hoping to get the actual .cer certificates for each of the test cards that get manually mapped to the various accounts in AD. For the V1 cards, there were the certs with the private certs to be able to map to individual accounts for testing. Is there no set of those for the V2 cards?
Stephen Maiorca | Sr. Security Architect
17222 Von Karman Avenue - Irvine, CA 92614
MSIA | CISSP | ISSAP
From: David A. Cooper <david....@nist.gov>
Sent: Monday, January 27, 2025 11:46 AM
To: Stephen Maiorca <smai...@databank.com>
Cc: piv-tes...@list.nist.gov
Subject: [EXTERNAL] Re: [piv-test-cards] Version 2 Card certificates for use in Windows account mapping
Stephen Maiorca
I’m almost positive someone read the certs off the cards. Checking with my CISO, we had a consultant about 7 years ago when we started our FedRAMP ATO as a CSP who provided us the certs.
I’ve tried to hook up my old USB CAC reader to my Windows 10 box. It can see the reader, and when I put one of the test cards in, but I can’t seem to figure out how to copy them off. Do I need to have a copy of ActivClient to do that, or is there another program that can help me read the certs to then use in the AD mapping?
Stephen Maiorca | Sr. Security Architect
17222 Von Karman Avenue - Irvine, CA 92614
MSIA | CISSP | ISSAP
This email message is intended for the use of the person to whom it has been sent, and may contain information?that is confidential or legally protected. If you are not the intended recipient or have received this message in error,?you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender?immediately by return e-mail and permanently delete this message and any attachments. DataBank makes no warranty that this email is error or virus free. DataBank, Ltd.
Sent: Monday, January 27, 2025 12:34 PM
To: Stephen Maiorca <smai...@databank.com>
Cc: piv-tes...@list.nist.gov
Subject: Re: [EXTERNAL] Re: [piv-test-cards] Version 2 Card certificates for use in Windows account mapping
ATTENTION: This email was sent to your DataBank account from an external source. Please use extra caution before clicking links, opening attachments, or replying to or forwarding this email
I don't understand what you mean by "there were the certs with the private certs." I do not believe there was any information available for the V1 cards that isn't also available for the V2 cards.
David A. Cooper
I’m almost positive someone read the certs off the cards. Checking with my CISO, we had a consultant about 7 years ago when we started our FedRAMP ATO as a CSP who provided us the certs.
I’ve tried to hook up my old USB CAC reader to my Windows 10 box. It can see the reader, and when I put one of the test cards in, but I can’t seem to figure out how to copy them off. Do I need to have a copy of ActivClient to do that, or is there another program that can help me read the certs to then use in the AD mapping?
Stephen Maiorca | Sr. Security Architect
Douglas E Engert
Control Panel->Content->Certificates->Personal Then find the certificate via "Issued To" and "Issued by"
You can then "view" to see a certificate or "export" to write in several formats.
Windows caches certificates in the certstore when card is first used or temporarily when inserted. So, it may ask for the card to be inserted when you try the export.
Depending on the PIV card vendor, a card vendor may install a PIV smart card minidriver. If not, the Microsoft builtin PIV driver will be used.
OpenSC (I am one of the developers) does install a minidriver for most cards, but it not enabled for PIV because in most cases the Microsoft or vendor minidriver will work. The OpenSC minidriver can
be enabled for PIV. Contact me if needed.
OpenSC for windows does install the tools and pkcs11 libraries including the pkcs11-tool, pkcs15-tool and other tools in Windows.
https://github.com/OpenSC/OpenSC/wiki/Windows-Quick-Start
https://github.com/opensc/opensc/releases
You would need both the *.win32.msi and *win64.msi.
Most linux distros
P.S. pkcs15-tool and pkcs11-tool can read the certificates. The piv-tool is more of a development tool to generate a key on the card, save the public key, so a CSR can be generated to send to CA and
then write certificate to the card. Since most approved PIV card vendors use other means to generate or load keys on card, piv-tool will not work on these cards.
On 2/7/2025 8:51 AM, 'David A. Cooper' via piv-test-cards wrote:
> There are many middleware programs that are capable of reading the PIV Cards (https://www.idmanagement.gov/university/piv/#piv-readers-and-middleware). I would guess that they all provide a way to
> read the certificates from the cards, but how to do so would depend on the particular library. I would be surprised if there isn't a way to read the certificates using the software that comes with
> Windows 10, but I don't have much experience with that operating system.
>
> I sometimes use OpenSC, and can read the certificates using it's command line tool. I use pkcs15-tool, but piv-tool should also work.
>
> On 2/6/25 3:13 PM, Stephen Maiorca wrote:
>>
>> I’m almost positive someone read the certs off the cards. Checking with my CISO, we had a consultant about 7 years ago when we started our FedRAMP ATO as a CSP who provided us the certs.
>>
>> I’ve tried to hook up my old USB CAC reader to my Windows 10 box. It can see the reader, and when I put one of the test cards in, but I can’t seem to figure out how to copy them off. Do I need to
>> have a copy of ActivClient to do that, or is there another program that can help me read the certs to then use in the AD mapping?
>>
>>
>> *Stephen Maiorca* | Sr.Security Architect
>> smai...@databank.com <mailto:smai...@databank.com>
>>
>> www.databank.com <http://www.databank.com/>
>> This email message is intended for the use of the person to whom it has been sent, and may contain information?that is confidential or legally protected. If you are not the intended recipient or
>> have received this message in error,?you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender?immediately by return e-mail and
>> permanently delete this message and any attachments. DataBank makes no warranty that this email is error or virus free. DataBank, Ltd.
>>
>> *Sent:* Monday, January 27, 2025 12:34 PM
>> *To:* Stephen Maiorca <smai...@databank.com>
>> *Cc:* piv-tes...@list.nist.gov
>> *Subject:* Re: [EXTERNAL] Re: [piv-test-cards] Version 2 Card certificates for use in Windows account mapping
>>
>> *ATTENTION: This email was sent to your DataBank account from an external source. Please use extra caution before clicking links, opening attachments, or replying to or forwarding this email*
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> I don't understand what you mean by "there were the certs with the private certs." I do not believe there was any information available for the V1 cards that isn't also available for the V2 cards.
>>
>> Are you certain the information for the V1 cards came from NIST? Perhaps someone else read the certificates from the test cards and created the cache of the certificates that you used for the V1 cards.
>>
>> On 1/27/25 12:21 PM, Stephen Maiorca wrote:
>>
>> I was hoping to get the actual .cer certificates for each of the test cards that get manually mapped to the various accounts in AD. For the V1 cards, there were the certs with the private
>> certs to be able to map to individual accounts for testing. Is there no set of those for the V2 cards?
>>
>> smai...@databank.com <mailto:smai...@databank.com>
>>
>> www.databank.com <http://www.databank.com/>
>>
>> *From:*David A. Cooper <david....@nist.gov> <mailto:david....@nist.gov>
>> *Sent:* Monday, January 27, 2025 11:46 AM
>> *To:* Stephen Maiorca <smai...@databank.com> <mailto:smai...@databank.com>
>> *Cc:* piv-tes...@list.nist.gov
>> *Subject:* [EXTERNAL] Re: [piv-test-cards] Version 2 Card certificates for use in Windows account mapping
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> The certificates can be read from the cards, but are not posted elsewhere. However, information about the contents of the certificates is available in NISTIR 8347
>> On 1/27/25 11:29 AM, 'Stephen Maiorca' via piv-test-cards wrote:
>>
>> Good Morning All,
>>
>> I’m trying to find out where we can get the Version 2 certificates that match what is on the test cards for use in mapping to the test accounts in Windows Active Directory. I set this up 4
>> years ago with a cache of the certificates that were available to be loaded into AD to map to the cards, but I cannot seem to find a link to these certificates for the version 2 cards.
>>
>> I’ve gone in loops through the https://csrc.nist.gov/projects/piv/nist-piv-test-cards site but cannot seem to find them. Could someone please direct me to where I can find them?
>>
>> Thanks in advance!
>>
>>
>>
>>
>>
>> *Stephen Maiorca* | Sr.Security Architect
>> smai...@databank.com <mailto:smai...@databank.com>
>>
>> www.databank.com <http://www.databank.com/>
>>
>> This e-mail (including any attachments) is intended only for use by the addressee(s) named above, and may contain confidential, proprietary, or legally privileged information. If you are not the
>> intended recipient of this e-mail, any review, use, disclosure, dissemination, distribution, printing or copying of this e-mail or any attachment is strictly prohibited. If you have received this
>> e-mail in error, please notify DataBank immediately by return e-mail and permanently delete the original from your system and any hard copy printout thereof. E-mails are not encrypted and cannot be
>> guaranteed to be secure or error-free and, as with all Internet communications, information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
>> Accordingly, DataBank accepts no liability for any errors or omissions in the content contained herein. In compliance with applicable laws, rules, and regulations and/or at its discretion, DataBank
>> may review and archive incoming and outgoing e-mail communications, copies of which may be produced at the request of regulators.
>
>
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov.
--
Douglas E. Engert <DEEn...@gmail.com>
Alex Howard
Stephen,
On windows you can do a cerutil -scinfo from the CLI to interrogate the card.
Best Regards,
Alex Howard
Technical Director
CSCIP
______________________________________________________________________________
www.txsystems.com | al...@txsystems.com
6242 Ferris Square San Diego, CA 92121
Direct: (858) 622-2012 | Main: (858) 622-2004 | Fax: (858) 622-2011
This email and any attachment may contain confidential information and are intended solely for the use of the named recipient(s). If you have received this information in error, you are prohibited from reading, copying, distributing and using the information. If you are not a named addressee or otherwise an intended recipient you are requested to immediately notify the sender and to delete this email and all attachments from your system.
--
Kim O'Sullivan
--