PIV standardization has made it much easier to secure a domain with smart cards, requiring only a few configuration steps without any additional software. The goal of this article is to show the configuration steps so corporations can understand what it takes and even test PIV cards in their environment first hand.

What is required

  • PIV card encoded with an IdenTrust Certificate (the PIV card can also be encoded with a local CA)
  • The issuing certificate authority certificates that issued the certificate
  • Microsoft certutil
  • Windows 7/10 client joined to the domain

Why IdenTrust Certificates

While active directory works great with a Microsoft Certificate Authority, this tutorial highlights use of the IdenTrust CA. The reason is to prove that even third party issued credentials can be easily used for smart card logon. Also, for customers considering upgrading their assurance level to enable greater trust with external business partners, IdenTrust makes it simple to obtain medium assurance and Federal Bridge certified test certificates for internal testing.

PIV Card Logon Configuration Steps

The video below shows how to configure the domain step by step. If you would like to obtain a test card or the scripts you see in the video, send an email to support@cyberarmed.com.

  1. Issue a domain controller certificate to the domain
  2. Verify the domain controller can access the certificates’ CRL and AIA locations
  3. Install issuer certificates into the NTAuth store
  4. Verify the AD account matches the Smart Card certificate

Further Knowledge

We hope the video provides valuable information. If you still need more information, below are also some amazing links to help with PIV card logon.

Certutil commands

Enabling 3rd party CA smart card logon

Microsoft CAPI Diagnostics (for when things do not work properly)

Smart card logon debugging (for very, very low level diagnostics)