Smart Card Certificate Revoked Error

When renewing smart card certificates through the RapidIdentity Administrators Portal, some enrollments can inadvertently cause issues with the old certificate. If the user experiences logon issues after renewal, the following steps are recommended:

1. On a computer with the problem user's smart card inserted into the reader, run the command: certutil -scinfo
   1a. Enter the card's PIN when the Windows prompt appears (3 different times).
   
   

2. If there's more than 1 certificate on the card, they'll appear under a "Certificate [X]" heading.
   

   

   2a. Review each certificate's contents to determine the one that will need to be removed. In this example, it is Certificate 0.
   
   

3. In order to delete a certificate from the card, the exact Provider and Key Container names must be used. Enter the command:
   certutil -delkey -csp "Provider Name" [container name]

   Example

   

   *Do not include the [brackets] in your final command.

   3a. You will be prompted to enter the card's PIN. Enter it and click OK.
   

   3b. If the command runs successfully, you should receive the following "completed successfully" message:
   

   
   

4. The previous certificate should now be deleted from the card. You can confirm and run certutil -scinfo again and see that the most recent cert has been moved to the zero [0] slot. Not all card models may do this, but it's more common to see it happen than not when using a middleware like Microsoft’s Base Smart Card Crypto Provider, like in this example.