NIST Personal Identity Verification Test Cards
In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV) Card, the National Institute of Standards and Technology (NIST) has developed a set of test PIV Cards, which are available for purchase as a NIST Special Database. An overview of the test PIV Cards is provided in NISTIR 7870, NIST Test Personal Identity Verification (PIV) Cards. Technical Specifications for Personal Identity Verification (PIV) Test Cards contains technical details about the contents of each of the test cards in the set.
All of the certificates on the test PIV Cards were issued from a test public key infrastructure (PKI), which was established to support the test cards. The PKI consists of a two-level hierarchy. In order to be able to validate the certificates on the test cards, it will be necessary to install the root certification authority (CA) from the PKI as a trust anchor in the software that will be validating the certificates. A self-signed CA certificate for the root CA, which may be used to establish the root CA as a trust anchor, is available at:
As is required by FIPS 201-1, all of the certificates in the test PKI contain authorityInfoAccess and subjectInfoAccess extensions, where appropriate, with both LDAP and HTTP URIs that point to the intermediate CA certificates that are needed to create certification paths to validate the end-entity certificates on the PIV Cards. Not all software, however, is capable of using the information in these extensions to automatically retrieve the necessary certificates. In order to validate the test certificates with such software, it will be necessary to manually install the intermediate CA certificates in addition to the trust anchor certificate. A ZIP file containing all of the intermediate CA certificates in the test PKI is available.
Each of the CAs in the test PKI issues CRLs, which are made available via both LDAP and HTTP, and each certificate issued by the test PKI includes a cRLDistributionPoints extension that includes both LDAP and HTTP URIs that point to the appropriate CRL for that certificate. CRLs are issued by the CAs once an hour, and each CRL has a nextUpdate time that is 24 hours after the time the CRL was issued.
The test PKI also includes and OCSP responder, which provides revocation status information for all of the end-entity certificates issued by the test PKI. Each of the end-entity certificates includes an HTTP URI in its authorityInfoAccess extension that points to this OCSP responder. The OCSP responder only provides pre-produced responses, which are created once an hour. The nextUpdate time indicated for each certificate in the response is 2 hours after the time that the OCSP response was created.
In order to facilitate testing with the key management keys on the cards, a set of sample encrypted email messages has been created, and are available in a ZIP file. The ZIP file includes one sample encrypted email for each key management key in the set of test cards. The file name for each encrypted email includes the card number and an indication of which key management key from that card was used to encrypt the message. For example, "enc07.eml" was encrypted using the current key management key from PIV Test Card 7, whereas "enc08rH.eml" was encrypted using Retired Key Management Certificate H from PIV Test Card 8 (as the certificate is labeled in the Technical Specification for Personal Identity Verification (PIV) Test Cards).