Troubleshooting a Smart Card on Windows using Certutil

Certutil is a utility provided by Microsoft starting with Windows 7 and Server 2008 that is installed as part of Certificate Services and can be used to show certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.  It is also a good tool to troubleshoot smart cards.

This tool can be used when errors occur such as the certificates on the card are not propagating or “A smart card was detected but is not the one required for the current operation” is being displayed.

To use Certutil to check the smart card open a command window and run:

certutil -v -scinfo

Certutil will check the smart card status, and then walk through all the certificates associated with the cards and check them as well.  (For each certificate it finds, it will request a PIN.  If there are many certificates this may take some time, but it is not required to just check the basic smart card status, and so PIN entry dialog box can be cancelled.)

Card Working Correctly

certutil-scinfo1.png

In the above example, the smart card is working fine. The Smart Card Resource Manager is running. The reader is working and available. The card is available. The card ATR is recognized (it is a Taglio C2). 

If there are still errors (especially if Windows is prompting to insert another card), a likely problem is that the actual driver dll referenced in the registry is not available, either because the registry entry is wrong, or because the dll is simply not there or has been renamed. To check this, go to the card registry with the same name as shown on the output line "Card:" in the Certutil results.  In the example above, it would be the registry entry called  "Taglio C2 JCOP31 (90)". In that registry entry, check the name of the dll (see: Troubleshooting the Windows Registry Smart Card entries). Also check that the specified dll is available in the system files and can be used.  

Card not Working Correctly

certutil-scinfo-fail.png

In the above results the smart card reader works fine, and the card is available. But in this case, the system cannot find the card. This may be because the minidriver is simply not installed, or because the particular card is not supported by the specific minidriver installation.  Note that Certutil provides the ATR of the card.  The registry can be used to verify that the ATR is correct.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk