Smart Card Tools and debugging

CertUtil is a tool available on Windows Vista and Windows 2003 Server Admin Pack

CertUtil (tool available on Vista and W2K3 Admin pack)

Listing Certificates available on the card:

Command to list Certificates available on the Smart Card: certutil –scinfo

Entering PIN is not required for this operation. Hitting Escape at each PIN dialog will work as the objective is to read the public certificates on the card.

Deleting Certificates on the card:

To delete a certificate on the card, you are actually deleting a container corresponding to that certificate. Each certificate is enclosed in a container. The following command is used to delete container:

Certutil –delkey –csp “Microsoft Base Smart Card Crypto Provider” “38f813f2-ec3b-4e96-ba19-38b830923be9”

 

Kerberos debugging and trace

The Kerberos Authentication in Windows portal (https://www.microsoft.com/kerberos) is a good place to start. There are two troubleshooting docs:

Smart Card Service (SCardSvr.exe – XP and SVCHost - Vista)

To restart “SCardSvr” services, the following commands from a Windows Command window will help.

C:\> net stop SCardSvr

C:\> net start SCardSvr

To findout if Smart Card Service is running (Note: the state field tells if the service is running or stopped):

 C:\>sc queryex scardsvr

SERVICE_NAME: scardsvr
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1320
        FLAGS              :

C:\>

CAPI2 Diagnostics

CAPI2 Diagnostics is a feature in Microsoft® Windows® Vista and Microsoft® Windows® Server code name “Longhorn” which helps administrators with troubleshooting PKI problems. CAPI2 Diagnostics logs events in the Windows Event Log containing detailed information about certificate chain validation, certificate store operations and signature verification. This makes it easier to identify the root cause of problems and reduces the time required for diagnosis.

For more information on CAPI2 Diagnostics, refer to this whitepaper on "Trouble Shooting PKI problems on Windows Vista"