CAC PIV
Many users are what is considered a “dual persona.” A user who is dual persona (such as someone who is both National Guard AND a DA Civilian) will have to complete an additional series of steps before they will be able to access their Enterprise Email.
Your Common Access Card holds some data in the form of certificates and various sites, such as Enterprise Email, use these certificates to verify and validate your identity. For users who are dual persona there is an additional certificate on your CAC that is hidden by default and this is the certificate you must use to access your Enterprise Email. Follow the steps in this FAQ to activate the PIV certificate on your CAC.
Note: These steps are unnecessary for users who do not have a PIV authentication certificate to activate. If you are attempting to access your Enterprise Email and the system will not accept the PIN you enter then you likely have a PIV. For all other issues please contact the service desk.
Activating Your PIV Authentication Certificate
- Browse to the RAPIDS Self-Service Portal; https://www.dmdc.osd.mil/self_service
- Click Sign On
- Click Ok
- Click Login under CAC
- Select your Email Certificate and click Ok
- Enter your PIN and click Ok
- Click “Activate PIV” in the upper right for the PIV certificate on your CAC
- Click Run
- 9 Once this process completes remove your CAC from the reader
Note: If the “Activate PIV Authentication Certificate” process fails to run or the update itself fails your CAC may be outdated and you may need to obtain a new CAC that fits the PIV standards.
Making the PIV Certificate Available to Windows
- Re-insert your CAC into the reader.
- Open ActivClient (double click the CAC/CAC Reader icon in the bottom right of Windows, next to the clock)
- Double click the ‘My Certificates’ icon.
- You should see four certificates instead of the standard three; the fourth will be labeled as your PIV AUTH certificate.
Note: If you see only three certificates and are certain you require a PIV AUTH certificate you will need to obtain a replacement CAC as the one you have is older than the PIV AUTH standard
4. In ActivClient open the Tools menu, then open the Advanced sub-menu, and select Forget State For All Cards
5. Open the Tools menu again, then open the Advanced sub-menu, and select Make Certificates Available to Windows
6. Enter your personal information if it is not automatically filled in.
7. Enter an External Email Address (Gmail, Yahoo, Hotmail, etc.)
8. Enter the contact details for your unit or organization including your phone number.
9. Enter a password and confirm it by entering the password again.
10. Choose your three security questions and provide the answers.
11. Your registration is complete! You may print the confirmation screen for your records.
Additionally if you have a 2nd physical CAC for your second persona you will need to complete these steps for that CAC as well.
AMC LOGSA has received a call from a user who recently received a new CAC. When attempting to access LIW, the user is receiving errors that seem to indicate that ActivClient is not recognizing her new CAC. We had her go into ActivClient to make the certificates available to Windows, but that option is not available – at least not in the same manner as with version 6. She is using ActivClient 7. We use AGM which has version 6 so don’t have a basis for comparison. Have you run into this problem? The user did run into issues with registering her new CAC with AKO, but that AKO support folks resolved that for her – which implies that “making certificates available” may not be the actual issue.