Troubleshooting NTE_BAD_KEYSET


Background

The NTE_BAD_KEYSET error is displayed in the certutil -scinfo output when no certificates can be read from the smart card or when the certificate read cannot be matched to a private key. This is normal to see if there are no certificates enrolled.

Potential Causes

Cause 1 - Imported Certificate Does Not Have a Private Key

If you have imported only the public portion of a key pair, this error will be shown. A scenario in which this would happen is if a YubiKey is enrolled, the certificate is exported from the YubiKey (the private key portion of the certificate is stored within the secure element of the YubiKey and is non-exportable), and then imported onto another YubiKey. 

Resolution

If you have the private key, you can use yubico-piv-tool -s<SLOT> -i<FILENAME> -aimport-key to import the private portion. If you do not have the private key, you will need to generate a new private/public key pair by enrolling the YubiKey again. 

Cause 2 - Outdated YubiKey Smart Card Minidriver

If certificates were enrolled or imported to the YubiKey using one of the PIV tools (PIV Manager, yubico-piv-tool, etc.) and version 3.3 of the YubiKey Smart Card Minidriver (YKMD) is installed this error will occur. To resolve this, you can use one of the resolution options below.

Resolution 1 - Upgrade the YubiKey Smart Card Minidriver

This issue with the YKMD was resolved in the v3.7 release and updating to this version will resolve the issue. You can find the latest version at our smart card downloads page

Resolution 2 - Remove and Block the YKMD From Being Installed

Alternatively, if you do not want to use the minidriver at all you can uninstall it and block it from being installed using GPOs. This is covered in the last section of the Smart Card Basic Troubleshooting.