PIV CAC card list of certificates

Question:

SP 800-73 Part 1 defines four X.509 certificate data objects and there are key references for asymmetric keys given. One assumes that: Key Reference 9A <==> X.509 Certificate for PIV Authenication Key Reference 9B <==> X.509 Certificate for Card Authentication Key Reference 9C <==> X.509 Certificate for Digital Signature Key Reference 9D <==> X.509 Certificate for Key Management is this correct? Furthermore, it is not stated for which of these key pairs the private key is resident on the card and for which key pairs the private key is held outside the card.

Answer:

The correct relationship is as follows: Key Reference 9A <==> X.509 Certificate for PIV Authentication. The 9A private key is held on the card. Key Reference 9B: The Card Management Key (aka Card Application Administration Key) is a symmetric key and has no certificate. The 9B symmetric key is held on the card. Key Reference 9C <==> X.509 Certificate for Digital Signature. The 9B private key is held on the card. Key Reference 9D <==> X.509 Certificate for Key Management. The 9D private key is held on the card. Key Reference 9E <==> X.509 Certificate for Card Authentication Key. Note that the Card Authentication Key may be asymmetric or symmetric. It has a certificate only if it is asymmetric. The private or secret 9E key is held on the card.