Secretary of Defense for Personnel and Readiness and the DoD Chief Information Officer (CIO) Memorandum Mandates that all DoD Components transition Non-Secure Internet Protocol Router Network (NIPR) Public Key-Enabled IT resources to use the PIV Authentication Certificate for Authentication
The DoD CAC Certificate Reduction and Realignment Plan details the following:
All DoD Components transition NIPRnet IT resources to use the PIV-AUTH certificate as the Identity for authentication.
- Eliminate the Identity Certificate from the CAC.
- Realign the Email Signing certificate to perform only signature operations.
- Users must have Activated the PIV certificate no later than March 31, 2019 via the Manpower Data Center (DMDC) Self Service Portal.
- Users will not be required to use the PIV cert until the transition is completed in 2020, as set by the specific service (Army, Air Force, Navy, DoD) Beginning January 01, 2020.
Expected changes from the directive above:
- Reduction of Card certificates from 4 to 3 certificates.
- Change of the user’s EDPI from 10 digits to 16 digits on card. Change of the user’s Active Directory account to reflect the 16 digits UPN DoD PIV authentication (Required and contains a User Principal Name (UPN) in the Subject alternate name (SAN) field of last 16 digits of the FASCN@mil)
Xerox Procedures
As the DoD prepares for the New Modernized CAC (May 2020) they are enabling both the PIV and CAC Identity certificates on smart cards issue between now and May 2020, they are also changing the User’s Logon ID in AD to 16 digits. In this condition the printer attempts to authenticate with the first Identity cert that it encounters (the CAC Identity Cert) and fails.
Ultimate Solution for all devices: Ask the customer to ONLY enable the PIV Identity certificate on the User’s CAC card; in other words, do not enable the CAC Identity certificate, thus not considered a Dual Persona user and no other action is required. Will probably get push back that they don’t have control over the process.
Solution for Connect Key/AltaLink/Versalink:
Upgrade to the latest software version. It will automatically attempt to authenticate with the User’s 16-digit User Logon ID, if that fails it will fall back to the 10-digit User Logon ID.
Latest Firmware as January 2020
- Altalink C8045-C8055 Download
- Altalink C8030-C8035 Download
- WorkCentre 5325-30-35 Download , Plugin
- WorkCentre 5945-5955 Download
- WorkCentre 7845-7855 Download
- WorkCentre 7830-7835 Download
- Vesalink C600-C500 Download , Plugin
- Vesalink C605-C505 Download , Plugin
- Vesalink B600-B610 Download , Plugin
- Vesalink B605-B615 Download , Plugin
- Versalink B70XX Download1, Download2 , Plugin
With current and recent FutureSmart firmware, (https://support.hp.com/us-en/document/c03933242) the device will use the E-mail Signing Certificate with the 10-digit UPN when Prefer GSC-IS over PIV card is selected in the Smart Card setup. If that option is not selected, then the device will use the PIV Authentication Certificate with the 16-digit UPN.
If the environment is mixed (some users with 16-digit UPN in AD and others with 10-digit UPN in AD), then the device will only support one of those groups of users depending upon the administrator’s configuration of Prefer GSC-IS over PIV card on the local device.
HP is currently investigating options to automatically support both when Prefer GSC-IS over PIV card is selected.
These instructions will allow Lexmark MFP’s to use PIV certificates on a CAC in compliance with the DOD’s CAC modernization directives.
To understand more about the DOD’s CAC Modernization directives, go to Lexmark’s CAC Modernization Page at https://www.lexmark.com/en_us/solutions/government/cac_modernization.html .
Note: The MPFs will not support a Mixed Environment. The MFP will either support the PIV or the CAC cert, not both on the same device. The user roll out will need to coincide with printer configurations.
The following must be done to switch to the PIV certificates on the CAC:
- Install PIV card driver
- Update Secure/PKI Email apps
- Remove/Stop CAC driver
Click on the corresponding eTask model that applies to your device and follow the instructions.
| eTask Model | Lexmark Printer Model | App Levels Required |
| eTask 5 and 6 | MS82x, MS62x, MX82x, MX72x, MX62x, MX52x, MX42x, CS92x, CS82x, CS72x, CS62x, CX82x, CX86x, CX52x, CX92x |
PIV Card Driver 1.3.8 or greater Secure Email 2.1.11 or greater |
| eTask 4 (s2) | MS812, MX610, MX611, MX6500, MX6500e, MX710, MX711, MX810, MX811, MX812, CX510 |
PIV Card Driver 1.3.8 or greater Secure Email s2_1.4.9 or greater |
| eTask 4 (s3) | CS510, MS610, MS810, MX410, MX510, MX511 | PIV Card Driver 1.3.8 or greater Secure Email s3_1.4.9 or greater |
| eTask 3 | X54x, 6500, X74x, X792, X95x, C74x, C792, C925, C950 | PIV Card Driver 1.3.8 or greater PKI Email 4.1.3 or greater |
| eTask 2+ | X46x, X65x, X73x, X86x, T656 | PIV Card Driver 1.3.9 or greater |
| eTask 1 | X64x, X78x, X94x |