cryptnox-logo
Cryptnox

Cryptnox SA

Cryptnox PIV Smart Card (RSA-4096) — White PVC — PIV / PKI Card

EAN: 7649992538318

A dedicated PIV PKI smart card on the FIPS 140-3 certified NXP P71D600 secure element, with on-card RSA-4096 for Windows / Active Directory smart-card logon, S/MIME, document signing and EAP-TLS VPN. The OpenFIPS201 PIV applet holds a FIPS 140-3 validation on this P71D600 chip (CMVP #5280); FIPS 140-3 approved-mode operation requires SCP03 card management, and these cards ship with SCP02. PIV only — no FIDO2 or MIFARE. Blank white PVC face for in-house ID printing.

ORDERS TO THE EU SHIP DIRECTLY FROM THE EU – NO IMPORT DUTIES

 29.00

Tax included. Shipping calculated at checkout.

Pay with Debit or Credit Card

Description

The Cryptnox PIV White PVC card is a dedicated PKI smart card — a Swiss-engineered NFC / contact smart card that runs a single applet, PIV, on the FIPS 140-3 certified NXP secure element (JCOP 4.5 on P71D600). It generates RSA-4096 keys on-card for government-grade identity: Windows / Active Directory smart-card logon, S/MIME, document signing and certificate-based VPN. The OpenFIPS201 PIV applet carries a FIPS 140-3 validation on the NXP P71D600 (NIST CMVP #5280). FIPS 140-3 approved-mode operation requires SCP03 secure-channel card management; these cards are delivered with SCP02, so they are not operated in the FIPS 140-3 approved mode as shipped. No FIDO2, no MIFARE — pure PIV / PKI.

What the PIV applet does

  • Implements the NIST SP 800-73-4 PIV standard with the four standard key slots (9A authentication, 9C digital signature, 9D key management, 9E card authentication)
  • Supports RSA-4096 as well as RSA-2048 and ECC P-256 / P-384, with on-card key generation — private keys never leave the secure element
  • Works with Windows / Active Directory smart-card logon (Kerberos PKINIT), S/MIME email, document and code signing, and certificate-based VPN / Wi-Fi (EAP-TLS)

The applet ships blank for customer personalization, with a decoupled PIV admin key so an integrator can load keys, certificates and PINs without the issuer’s card-management key.

When to choose this card

Choose this card when you need a FIPS-validated PIV / PKI credential and nothing else. If you also need passwordless / 2FA web sign-in, see the FIDO2 + PIV card; if you also need physical building access, see the FIDO2 + PIV + MIFARE card.

Built for branded enterprise rollouts

The face of this card ships blank — ready for any standard PVC ID card printer (Zebra, Evolis, Fargo, Magicard, Matica). Print your company logo, employee photo, name, department or QR code on each card. Typical buyers are PKI / IT teams standardizing on FIPS-validated smart-card hardware for AD logon and digital signatures.

Features

PIV / PKI use cases

  • Windows Active Directory smart-card logon (Kerberos PKINIT)
  • S/MIME email signing and encryption; document, PDF and code signing
  • Certificate-based VPN and Wi-Fi (EAP-TLS)
  • Enterprise PIV-I (interoperable) and derived-credential deployments
  • High-assurance signatures using RSA-4096 keys generated on-card

PIV standards & middleware

The PIV applet conforms to NIST FIPS 201-3 and SP 800-73-4, and works with the Windows native smart-card mini-driver (Base CSP), PKCS#11 middleware and OpenSC; it is suitable for PIV-I (interoperable) credentialing. On macOS the card is available via CryptoTokenKit or OpenSC; on Linux via OpenSC / PKCS#11.

Customize the card face for branded badges

The blank White PVC surface is dimensioned to standard CR80 ID card printer specs:

  • Print employee photo, name and department via dye-sublimation or thermal transfer
  • Add company logo and color branding, QR codes, visible serial numbers or asset tags
  • Apply an optional laminate overlay for added durability — avoid metallic overlays that could interfere with NFC performance

Easy to deploy

  • Contact mode: insert into any USB CCID-class smart card reader for PIV smart-card logon and signing. The card itself is an NFC / contact smart card (not a USB security key)
  • Driverless reader support — with a standard USB CCID reader, recognized by Windows, macOS and Linux without vendor drivers
  • No charging — passive NFC, no battery

Bulk procurement

For volumes of 500+ or pre-printed batches (1,000+ cards), get in touch via our contact form.

Specifications

Technical specifications

  • Form factor: ISO/IEC 7810 ID-1 (CR80, credit-card size)
  • Card face: blank White PVC, ready for ID card printers (dye-sublimation or thermal transfer)
  • Interface: contact (ISO 7816) + NFC (ISO/IEC 14443 Type A)
  • Secure element: NXP JCOP 4.5 (P71D600), Java Card platform, single chip, FIPS 140-3 certified, EAL6+
  • Applet: PIV only — no FIDO2, no MIFARE
  • PIV: four key slots (9A / 9C / 9D / 9E); RSA-4096, RSA-2048, ECC P-256 / P-384; on-card key generation
  • Power: passive — no battery, energy harvested from the reader’s RF field
  • Operating systems: Windows 10/11 (native mini-driver / Base CSP); macOS (CryptoTokenKit / OpenSC); Linux (OpenSC / PKCS#11)

Compliance

  • ISO/IEC 7810 (card form factor), ISO/IEC 7816 (contact interface), ISO/IEC 14443 (NFC interface)
  • NIST FIPS 201-3 (PIV)
  • Supports deployments aligned with OMB M-22-09, NIST SP 800-63B, PCI DSS v4, NIS2, DORA and eIDAS

Certifications

Each part of the card is certified independently.

Chip / platform certifications (NXP JCOP 4.5 on P71D600, Java Card platform):

  • Common Criteria EAL 6+ augmented — NSCIB-CC-0313985-CR
  • FIPS 140-3 Overall Level 3 with Physical Security at Level 4 — NIST CMVP certificate #4679
  • AIS-31 compliant True Random Number Generator (chip-level)

Applet certification:

  • PIV applet (OpenFIPS201 v2.0): FIPS 140-3 validated (NIST CMVP certificate #5280, Overall Level 2, Physical Security Level 4), NIST SP 800-73-4 / SP 800-78-4 conformant. This validation was issued on the NXP P71D600 secure element — the chip used in this card. Note: FIPS 140-3 approved-mode operation requires SCP03 secure-channel card management; these cards are delivered configured with SCP02, so they do not operate in the FIPS 140-3 approved mode as shipped.

Cryptography: the PIV applet generates RSA-4096 / RSA-2048 / ECC P-256 / P-384 keys on-card, and private keys never leave the secure element.

Frequently Asked Questions

Is the PIV applet on this card FIPS certified?

Yes. The OpenFIPS201 v2.0 PIV applet holds a NIST FIPS 140-3 validation (CMVP certificate #5280, Overall Level 2 with Physical Security Level 4). That validation was performed on the NXP P71D600 secure element — the exact chip this card uses — so the FIPS 140-3 PIV validation references this exact chip. Note: FIPS 140-3 approved-mode operation requires SCP03 card management, and these cards ship with SCP02 — so they are not operated in the FIPS 140-3 approved mode as delivered. The underlying P71D600 secure element is itself certified to Common Criteria EAL6+ (NSCIB-CC-0313985) and FIPS 140-3 Level 3 with Physical Security Level 4 (CMVP #4679). The chip and the PIV applet are certified independently.

How is this different from the FIDO2 + PIV cards?

This is a dedicated PIV / PKI card — it runs only the PIV applet, with no FIDO2 and no MIFARE. It is the most economical way to deploy a FIPS-validated smart-card PKI credential for Windows / Active Directory logon and digital signing. If you also need passwordless / 2FA web authentication, choose the FIDO2 + PIV card; if you additionally need physical building access, choose the FIDO2 + PIV + MIFARE card. All three share the same PIV applet with on-card RSA-4096.

What can I do with the PIV applet?

It turns the card into a government-grade PKI smart card. It implements the NIST SP 800-73-4 PIV standard with the four standard key slots (9A authentication, 9C digital signature, 9D key management, 9E card authentication) and supports RSA-4096 as well as RSA-2048 and ECC P-256 / P-384. Keys are generated on-card, so the private key never leaves the secure element. That lets the card handle Windows / Active Directory smart-card logon (Kerberos PKINIT), S/MIME email signing and encryption, document and code signing, and certificate-based VPN or Wi-Fi (EAP-TLS).

Does the card ship ready to use, or does it need provisioning?

The PIV applet ships installed but blank — no PINs, keys or certificates until your PKI team personalizes it. To make integration easier, the PIV admin channel uses a dedicated, decoupled key (a separate GP Security Domain) rather than the issuer’s card-management key, so an integrator can load PIV keys, certificates and PINs without the master key; re-key it to a secret if you want gated PIV administration. For volume provisioning or pre-printed cards, use the Cryptnox contact form.

Which operating systems and middleware does it work with?

The PIV applet conforms to NIST FIPS 201-3 / SP 800-73-4 and works with the Windows native smart-card mini-driver (Base CSP), PKCS#11 middleware and OpenSC, and is suitable for PIV-I (interoperable) credentialing. On Windows 10/11 it supports native smart-card logon; on macOS it is available via CryptoTokenKit or OpenSC; on Linux via OpenSC / PKCS#11. Use the card in its contact (ISO 7816) interface through any standard USB CCID smart-card reader. The card itself is an NFC / contact smart card, not a USB security key.

Select your currency
EUR Euro
CHF Swiss franc
0
    0
    Shopping cart
    Your cart is emptyReturn to Shop
    Continue shopping