Troubleshooting "No Valid Certificates Were Found on This Smart Card"

Applicable Products


Potential Causes

  1. The YubiKey was enrolled using one of the PIV tools and the computer has the YubiKey Smart Card Minidriver v3.3 installed.

  2. The certificate chain is not trusted.

  3. The usage attributes on the certificate do not allow for smart card logon.

1. The YubiKey Was Enrolled Using One of the PIV tools and the Computer Has the YubiKey Smart Card Minidriver v3.3 Installed

An incompatibility between YubiKeys enrolled using the PIV tools (PIV Manager, yubico-piv-tool, or other 3rd party software) and version 3.3 of the YubiKey Smart Card Minidriver can cause this error.

Testing

Note: This testing assumes you have a working and a non-working computer to test with on your domain.

  1. In a Command Prompt window, run “certutil -scinfo” on both a working and non-working computer. If prompted, enter your smart card PIN.

  2. Near the top of the output, look for “Card:”. If the card is listed as “NIST Identity …” on the working computer but “Yubikey … Smart Card” on the non-working, continue with these steps; otherwise this is not your issue and you should check the other potential causes.

  3. On the non-working computer, check if the version of the YubiKey Smart Card Minidriver is 3.3. If it is version 3.3, this is the source of the issue.

Resolution Option 1

Upgrade the YubiKey Smart Card Minidriver to version 3.7 or higher and it will be able to correctly read certificates from YubiKeys enrolled using the PIV tools. You can download the latest version here

Resolution Option 2

Uninstall the YubiKey Smart Card Minidriver and block its installation via Group Policy Objects. Steps on achieving this are covered in the last section of the YubiKey Smart Card Minidriver User Guide.

2. The Certificate Chain is not Trusted

If the root certificate or any intermediate certificates are not trusted by the computer you are logging in to, the end certificate will not be trusted and will give this error.

Testing

  1. Open a Command Prompt window, and run “certutil -scinfo”. When prompted, enter your smart card PIN. Near the end of the process, you will receive a prompt showing the certificate that was read from the YubiKey. When you see this, press the “More details” option which will open a new window.

  2. Switch to the “Certificate Path” tab.

  3. Check the “Certificate Status” box at the bottom to see if it reports any issues with the certificate chain.

Resolution

Ensure that the root and all intermediate CAs are installed on each workstation on your network. 

3. The Usage Attributes on the Certificate do not Allow for Smart Card Logon

If the certificate does not include Smart Card Logon as a usage, Windows will not allow it to be used for logon and the error will be shown.

Testing

  1. Open a Command Prompt window, and run “certutil -scinfo”. When prompted, enter your smart card PIN. Near the end of the process, you will receive a prompt showing the certificate that was read from the YubiKey. When you see this, press the “More details” option which will open a new window.

  2. On the General tab, look for “Smart Card Logon” under “This certificate is intended for the following purposes”. If it is not there, this is the cause of the issue.

Resolution

On your issuing certificate authority, update the certificate template to also include “Smart Card Logon” as an Application Policy under the Extensions tab. Then, enroll the YubiKey again using the updated template.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.