Error: "The revocation status of the smart card certificate used for authentication could not be determined.”

Solution ID:    SO12343    Updated:    06/17/2015

Problem

When authenticating a smartcard certificate, you may receive the following error message:

The revocation status of the smart card certificate used for authentication could not be determined

Cause

This error occurs when one of the following conditions are true:

  • Network connectivity issues with the certificate revocation list (CRL) server
  • Certificate revocation list (CRL) is expired
  • Certificate chaining is invalid

Solution

To troubleshoot this issue, run the following command:

certutil -scinfo

Here is an example of the certutil output:

---   Card: eTokenOS4 (T1 32k)
Provider = eToken Base Cryptographic Provider
Key Container = 045d22b0-8f71-4c59-b6d0-82e02df9fa6c
 
No AT_SIGNATURE key for reader: AKS ifdh 0
 
Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
  Key Container = 045d22b0-8f71-4c59-b6d0-82e02df9fa6c
  Provider = eToken Base Cryptographic Provider
  ProviderType = 1
  Flags = 1
  KeySpec = 1 -- AT_KEYEXCHANGE
Private key verifies
 
Performing cert chain verification...
Chain validates
Smart Card Logon: Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 22 Days, 20 Hours, 8 Minutes, 33 Seconds
 
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 22 Days, 20 Hours, 8 Minutes, 33 Seconds
 
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: <INT_CA_DN>
  NotBefore: 9/30/2009 7:00 PM
  NotAfter: 10/1/2010 6:59 PM
  Subject: <END_ENTITY_DN>
  Serial: <serial_number>
  SubjectAltName:
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 0:
    Issuer: <INT_CA_DN>
  Issuance[0] = 2.16.840.1.113733.1.7.23.3.1.7
  Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
 
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN="<common_name>", C=US
  NotBefore: 3/18/2009 7:00 PM
  NotAfter: 3/18/2014 6:59 PM
  Subject: <INT_CA_DN>
  Serial: 53c72152edad5234625cc9fac0f5dac5
  SubjectAltName: Directory Address:CN=symantecMPKI-1-11
  40 63 12 3f 9d fb 9f b6 7b ef 09 ef 66 52 8c cf 3f a9 ab 42
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 0:
    Issuer: CN=<common_name>, OU=<org_unit>, O=<org_name>, C=US
    <serial_number>
  Issuance[0] = 2.16.840.1.113733.1.7.23.3.1.6
  Issuance[1] = 2.16.840.1.113733.1.7.23.3.1.7
  Issuance[2] = 2.16.840.1.113733.1.7.23.3.1.8
  Issuance[3] = 2.16.840.1.113733.1.7.23.3.1.13
  Issuance[4] = 2.16.840.1.113733.1.7.23.3.1.17
  Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[2] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email
 
CertContext[0][2]: dwInfoStatus=101 dwErrorStatus=0
  Issuer: CN=symantec Class 3 Public Primary Certification Authority - G3, OU="(
c) 1999 symantec, Inc. - For authorized use only", OU=symantec Trust Network, O=
"symantec, Inc.", C=US
  NotBefore: 2/4/2009 7:00 PM
  NotAfter: 2/4/2019 6:59 PM
  Subject: CN=symantec Class 3 SSP Intermediate CA, OU=symantec Trust Network, O
="symantec, Inc.", C=US
  Serial: 3a0c57ca7b476015e73c01c3c58d0e5e
  SubjectAltName: Directory Address:CN=symantecMPKI-1-8
  cf 5e 3d 16 02 fc 8a a8 5e dc bd 3f 0a d0 78 fb 25 d1 39 05
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 3:
    Issuer: CN=symantec Class 3 Public Primary Certification Authority - G3, OU=
"(c) 1999 symantec, Inc. - For authorized use only", OU=symantec Trust Network,
O="symantec, Inc.", C=US
    10 bd 3d bf 20 7d be 67 dd 62 68 82 f7 fb 79 e8 86 54 c2 4f
  Issuance[0] = 2.16.840.1.113733.1.7.23.3.1.6
  Issuance[1] = 2.16.840.1.113733.1.7.23.3.1.7
  Issuance[2] = 2.16.840.1.113733.1.7.23.3.1.8
  Issuance[3] = 2.16.840.1.113733.1.7.23.3.1.13
  Issuance[4] = 2.16.840.1.113733.1.7.23.3.1.17
  Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[2] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email
 
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=symantec Class 3 Public Primary Certification Authority - G3, OU="(
c) 1999 symantec, Inc. - For authorized use only", OU=symantec Trust Network, O=
"symantec, Inc.", C=US
  NotBefore: 9/30/1999 7:00 PM
  NotAfter: 7/16/2036 6:59 PM
  Subject: CN=symantec Class 3 Public Primary Certification Authority - G3, OU="
(c) 1999 symantec, Inc. - For authorized use only", OU=symantec Trust Network, O
="symantec, Inc.", C=US
  Serial: 9b7e0649a33e62b9d5ee90487129ef57
  13 2d 0d 45 53 4b 69 97 cd b2 d5 c3 39 e2 55 76 60 9b 5c c6
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Application[0] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[2] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email
 
Exclude leaf cert:
  c9 63 b6 66 56 b5 a0 5c b3 bd 9d 20 99 26 2c 67 c9 01 21 6c
Full chain:
  23 4f fa 3b 00 bf de 6b eb 72 c5 fb ab d4 ca 7c 5d 3d d3 b5
------------------------------------
Verified Issuance Policies:
    2.16.840.1.113733.1.7.23.3.1.7
Verified Application Policies:
    1.3.6.1.5.5.7.3.4 Secure Email
Displayed AT_KEYEXCHANGE cert for reader: AKS ifdh 0
 
Analyzing card in reader: AKS ifdh 1
 
--------------===========================--------------
 
=======================================================
Analyzing card in reader: AKS VR 0
 
--------------===========================--------------
 
Done.
CertUtil: -SCInfo command completed successfully.
 
 
The output should confirm any issues with the certificate file stored on the token.  Also, review the Microsoft document to ensure the certificate meets all requirements for smartcard logon: http://support.microsoft.com/kb/281245.  If further assistance is needed, please send the output to enterprise_pkisupport@symantec.com for further review.
 

Known Issues

 
The system could not log you on, The requested key container does not exist on the smart card
 
This error occurs when the private key was generated with the KeySpec value equal to 2.  Microsoft has stated the KeySpec value must equal 1.
 
"There are two predefined types of private keys. These keys are Signature Only(AT_SIGNATURE) and Key Exchange(AT_KEYEXCHANGE). Smartcard logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key type in order for smartcard logon to function correctly."

Here is a brief overview of keyspec values:

typedef enum X509KeySpec {
XCN_AT_NONE = 0,
XCN_AT_KEYEXCHANGE = 1,
XCN_AT_SIGNATURE = 2"
 
Note:  This is a report issue with the Microsoft Vista operating system
 
 
To resolve this issue, perform the following steps:
 
For local hosted customers, access server and modify the objPrivateKey.keyspec value from 2 to 1 on the enrollment page (userEnrollMS.htm, userEnrollDualMS.htm, etc) and modify the objPrivateKey.keyspec value from 2 to 1.  Here is an example:
 
    ' -- Setting keySpec for AT_SIGNATURE
    objPrivateKey.Length = 2048
    objPrivateKey.keySpec = 1
 
Once completed, save the changes and enroll for a new smartcard certificate.  For remote hosted customers, the changes will need to be completed by Symantec.  Contact Symantec Enterprise support at 800-579-2848 option 1,3 for further assistance.

Disclaimer:

 

Terms of use for this information are found in Legal Notices

 

Find Answers