You can use these simple methods to view, export, and understand the information stored on a PIV credential.
View Your PIV Credential Certificates
Almost all of the methods for using your PIV credential for networks, applications, digital signatures, and encryption involve the certificates and key pairs stored on your PIV credential. There are also scenarios where additional information (such as biometrics) is also accessed and used.
To view your certificate information:
- Insert your PIV credential into your card reader.
- Choose an option from the table below and follow the steps.
|Microsoft||Internet Explorer||Open Internet Explorer Browser -> Tools wheel or Alt+X) -> Internet Options -> Content tab -> Certificates button -> Personal tab|
|Microsoft||Microsoft Management Console (MMC) and Certificate Snap-in||Open Microsoft Management Console -> File -> Add/Remove Snap-In -> Certificates snap-in -> Add -> My user account -> Finish -> Expand Certificates - Current User -> Personal -> Certificates|
|Any||Chrome Browser||Open Chrome Browser -> Settings -> Show Advanced Settings -> Manage Certificates (Manage HTTPS/SSL Certificates and Settings) -> Personal tab|
|Any||Firefox Browser||Open Firefox Browser -> Settings wheel -> Privacy & Security -> Security -> Certificates > View Certificates button -> Certificates Manager -> Your Certificates tab|
|macOS X||Keychain||Open Applications -> Utilities -> Keychain Access -> Select Login -> Categories -> My Certificates|
You may see many certificates. To open and view the certificate details, double-click on any certificate.
Export PIV Certificates
We won’t always use graphical user interfaces to view the PIV credential certificates. Throughout the PIV and the Federal PKI (FPKI) Guides, we’re continuing to add useful procedures for network engineers and examples of code, tools, and common command line options for viewing and troubleshooting configurations. (Note: These examples may use files representing public certificates.)
Look for an Export button and save the file as DER or PEM-encoded, with a file extension of cer (.cer).
Keys are safe!
Don't worry; the public certificates are public. The private keys are always stored safely on your PIV credential and can never be exported.
Understand PIV Certificates
Viewing the certificate information on your PIV credential may be interesting if you are a general user. You must understand certificate information as a program manager or engineer developing applications and designing solutions for using PIV credentials.
Within the U.S. federal government, the certificate and PIV credential information is governed by standards, policies, and implementation-specific choices (options) across all agency credential providers.
Typically, there are four certificates and four key pairs on a PIV credential. However, one pair (i.e., one certificate and one key pair) is ALWAYS on every PIV credential and three pairs (i.e., three certificates and three key pairs) are SOMETIMES on a PIV credential. You can review the Basics of a PIV Credential to view the four pairs and purposes.
The table below outlines the general information for the PIV credential certificates, certificate extensions, and design considerations.
PIV credentials and certificates have changed over time due to updates in standards. Since users may have credentials for up to 6 years and there are both optional and mandatory elements, the information presented is what is valid for ALL PIV credentials and certificates currently in use. (Although credentials are valid for 6 years, the certificates contained on a credential are valid for only 3 years, with the exception of the content signer.)
|Certificate||Required||Key Usage||Extended Key Usage||Subject Alternative Name||Design Considerations|
|PIV Authentication||Always||Digital Signature||Client Authentication||otherName = FASC-N;
uniformResourceIdentifier = UUID;
Principal Name = prefix@suffix
|Principal Name values are not required by policy to be present in all Subject Alternative Name extensions. The Card UUID may also commonly be referred to as the Global Unique Identifier (GUID).|
|Card Authentication||Always||Digital Signature||id-PIV-cardAuth||Name = FASC-N;
uniformResourceIdentifier = UUID
|Card Authentication must be included in new and replacement PIV credentials issued after August 2014; it is not expected that all PIV credentials will have Card Authentication certificates until September 2019. The Card UUID may also commonly be referred to as the GUID.|
|Digital Signature||Sometimes||Digital Signature, Non-Repudiation||Specific EKUs are required for certificates issued after June 2019||rfc822name = email address||Email address is not required by policy. Email address may be multivalued attributes and include email aliases.|
|Encryption||Sometimes||Key Encipherment||Specific EKUs are required for certificates issued after June 2019||rfc822name = email address||Email address is not required by policy. Encryption certificates that represent available, retired encryption key pairs may exist, depending on the PIV issuer.|
|PIV Content Signer||Always||Digital Signature||id-PIV-content-signing||N/A||The PIV content signer ensures the integrity of the digital information stored on the card. Physical Access Control Systems (PACS) are the primary relying party for these certificates. This certificate is unavailable in most logical trust stores, but users can leverage the Card Conformance Tool (CCT if they would like to extract and view the PIV content signing certificate.|
Additional useful information:
- All key pairs for users are 2048-bit (RSA) keys.
- All certificates issued and certified as PIV are SHA-256 signed.
- If you are working with Common Access Cards, you may still encounter SHA-1-signed certificates and might not see a Card Authentication certificate.
- There has been testing in some infrastructures to migrate to Elliptic Curve Cryptography (ECC), but there are no ECC certificates for users in production as of the date of this guide.
- There has been testing in some infrastructures to migrate to 3072-bit (RSA) certificates, but there are no 3072-bit certificates for users in production as of the date of this guide.
In-depth details on the certificate profiles are contained in the current and historical Federal Public Key Infrastructure (FPKI) policy documents. The most recent policy and certificate profile documents may be found on IDManagement.gov’s Federal Public Key Infrastructure page.