Don’t get locked out – update your CAC’s Personal Identity Verification-Authentication certificate
Department of Defense Common Access Cards must align with the Federal Personal Identity-Authentication (PIV-Auth) certificate, which ensures strong authentication.
Homeland Security Presidential Directive 12 (HSPD-12) requires federal departments and agencies to use strong authentication credentials for network and information technology system access, and the CAC is DoD's primary mechanism for doing so on the NIPRNet.
DoD has directed that PIV-Auth certificate become the standard for DoD IT access in order to: standardize implementations and reduce inefficiencies with mission partners, improve cybersecurity posture and change management, reduce costs associated with maintaining DoD specific legacy authentication mechanisms, and allow the department to use commercial products designed to read HSPD-12 compliant Public Key Infrastructure credentials.
To accomplish this, DoD has directed its components to reconfigure network and web-application user accounts to support PIV-Auth authentication. DISA personnel were required to activate PIV-Auth by Aug. 1.
The DoD Chief Information Officer Cybersecurity Scorecard Team is tracking progress toward achieving the changes.
The most visible change to most unclassified IT users will be the change from selecting either an ID or email certificate for system logon to only selecting the PIV-Auth certificate. Though the PIV-Auth certificate is on all DoD CACs, it is not activated on CACs issued before Feb. 24, 2018.
DoD CAC holders for which the PIV-Auth certificate is not visible do not need a new CAC, but must visit the milConnect RAPIDS Self-Service portal to activate the certificate.
Existing “dual-persona” personnel - those who currently or previously served in the military and as a civilian or contractor - may already have the PIV certificate activated.
- Users can often tell if they already have a PIV certificate if they notice an “authentication” certificate when attempting to access many CAC authenticated systems. However, a guaranteed way to confirm the PIV authentication certificate is to verify with ActivClient using the below steps:
- Near the clock in the bottom right of your screen, expand the small upward arrow to see the system tray.
- Locate and double-click on the ActivClient icon that resembles a blue CAC reader.
- On the new ActivClient window, double click the ‘My Certificates’ icon in the right pane.
- All the certificates on your CAC should now be listed. The PIV certificate is titled “Authentication” and if selected, it will show a 16-digit number after the user’s name instead of the usual 10-digit DoD ID number on the other certificates.
After activating the PIV certificate, here are some important tips to consider:
- Always know how to identify the PIV certificate to avoid accidentally selecting it. The PIV certificate is best identified by the 16-digit DoD ID number after the user’s name, or the ‘Authentication’ title.
- Be sure not to accidentally select the PIV certificate when logging into a workstation or the user will be logged on as a visitor. If this occurs, simply log out and select the 10-digit identity certificate to log back in.
- The PIV certificate should only be used for applications and systems that have been registered to use PIV authentication. If the system or application was working correctly before PIV activation, users should continue to use the original certificates to access those systems and applications.
- All system and application owners will eventually switch to PIV authentication. They will advise their user communities when it is time to switch to the PIV certificate.