Troubleshooting a Smart Card on Windows using Certutil

Certutil is utility provided by Microsoft on Windows 7/8 and Server 2008 and up that allows you work with the cryptographic subsystem to manage certificates. It is also a good tool to trouble shoot smart cards.

If your card is not working, this is a good place to start. The certificates you know are on the cards are not propagating for example, or you are getting the dreaded “A smart card was detected but is not the one required for the current operation” error.

To use Certutil to check the smart card run:

 

certutil -v -scinfo

 

Certutil will check the smart card status, and then walk through all the certificates associated with the cards and check them as well. For each certificate it finds, it will request a PIN. If you have many certificates this may take some time, but it is not required to just check the basic smart card status, and so you can cancel out of the PIN entry dialog.

 

Card Working Correctly

 

certutil-scinfo1.png

In the above example the smart card everything is working fine. The Smart Card Resource Manager is running. The reader is working and available. The card is available. The card ATR is recognized (it is a Taglio C2).

If you are still getting errors (especially when Windows is prompting you to insert another card), a likely problem is that the actual driver DLL referenced in the registry is not available, either because the registry entry is wrong, or because the DLL is simply not there or has been renamed. To check, go to the card registry with the same name as shown under "Card:" in Certutil, and check the name of the dlls (see: Troubleshooting the Windows Registry Smart Card entries). Then check that this dll is available and can be used.

 

4certutil-scinfo-fail.png

The above results are also interesting. Again the smart card reader works fine, and the card is available. But in this case the system cannot find the card. This maybe because the minidriver is simply not installed, or because the particular card is not supported by the specific minidriver installation. Note that Certutil provides you with the ATR of the card. You can go into the registry and see if the card ATR is correct.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk