NIST Personal Identity Verification Test Cards
Test PKI Info | Sample Messages | Version 1 Test Cards | Email List
In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV) Card, the National Institute of Standards and Technology (NIST) has developed a set of test PIV Cards, which are available for purchase as a NIST Special Database. An overview of the test PIV Cards is provided in NIST 8347, NIST Test Personal Identity Verification (PIV) Cards Version 2. NISTIR 8347 also contains technical details about the contents of each of the test cards in the set.
Test PKI Information
All of the certificates on the test PIV Cards were issued from a test public key infrastructure (PKI), which was established to support the test cards. The PKI consists of a two-level hierarchy. In order to be able to validate the certificates on the test cards, it will be necessary to install the root certification authority (CA) from the PKI as a trust anchor in the software that will be validating the certificates. Download a self-signed CA certificate for the root CA, which may be used to establish the root CA as a trust anchor
All of the certificates in the test PKI contain authorityInfoAccess and subjectInfoAccess extensions, where appropriate, with URIs that point to the intermediate CA certificates that are needed to create certification paths to validate the end-entity certificates on the PIV Cards. Not all software, however, is capable of using the information in these extensions to automatically retrieve the necessary certificates. In order to validate the test certificates with such software, it will be necessary to manually install the intermediate CA certificates in addition to the trust anchor certificate. Download all the intermediate CA certificates in the test PKI (ZIP file).
Each of the CAs in the test PKI issues Certificate Revocation Lists (CRLs), which are made available via HTTP, and each certificate issued by the test PKI includes a cRLDistributionPoints extension that includes an HTTP URI that points to the appropriate CRL for that certificate. For some of the CAs, CRLs are also made available via LDAP.
The test PKI also includes an Online Certificate Status Protocol (OCSP) responder, which provides revocation status information for all of the end-entity certificates issued by the test PKI. Each of the end-entity certificates includes an HTTP URI in its authorityInfoAccess extension that points to this OCSP responder. The OCSP responder only provides pre-produced responses, which are created at the same time that the CRLs are created.
Sample Encrypted Email Messages
In order to facilitate testing with the key management keys on the cards, download a set of sample encrypted email messages (ZIP file). The ZIP file includes one sample encrypted email for each key management key in the set of test cards. The file name for each encrypted email includes the card number and an indication of which key management key from that card was used to encrypt the message. For example, "enc07.eml" was encrypted using the current key management key from PIV Test Card 7, whereas "enc08rH.eml" was encrypted using Retired Key Management Certificate H from PIV Test Card 8 (as the certificate is labeled in NISTIR 8347).
Version 1 Test Cards
Information about the first version of the test PIV Cards is provided in NISTIR 7870, NIST Test Personal Identity Verification (PIV) Cards. Technical Specifications for Personal Identity Verification (PIV) Test Cards contains technical details about the contents of each of the test cards in the first version of the set.
Downloads for Version 1 of the test PIV cards are still available:
Email List
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
