Checking Smart Card Health with certutil

Using certutil -scinfo

certutil is a troubleshooting tool developed by Microsoft. It is installed by default on Windows Vista and Windows Server 2008 and later.

Press Windows + R, type cmd, press Enter, then run:

certutil -scinfo

Expected output — healthy card

A healthy, properly configured smart card produces output where:

The Card field is not empty — a driver name is shown.
The state includes SCARD_STATE_PRESENT.
The chain validates: look for "Smart card logon: chain validates".

certutil -scinfo healthy output — Expected healthy output — card detected, driver present, chain validates

An empty smart card (no certificate yet) is also a healthy state:

certutil -scinfo empty but healthy card — Empty card — healthy, no KeySet yet (expected for a blank card)

Smart card absent

certutil -scinfo SCARD_STATE_EMPTY — SCARD_STATE_EMPTY — reader detected, no card

Causes

An incompatible smart card has been inserted.
The reader does not recognise the card.

Resolution

Check the physical connection (ensure the card is fully inserted).
Try the smart card in a different reader to rule out a faulty reader.
Verify the Smart Card service is running (see below).

Minidriver or CSP not installed

When the minidriver or CSP is missing, the ATR is shown but the Card line is empty and the output contains errors such as "Cannot retrieve Provider Name for <null>".

certutil -scinfo missing driver — ATR present but Card line empty — driver missing

CALAIS registry no entry — The CALAIS database shows no entry for the smart card

Note — 64-bit systems: There are two CALAIS databases. A 32-bit CSP installed on a 64-bit system only populates the WOW6432Node entry.

Resolution

Request the correct 64-bit driver from your smart card manufacturer.
Use a compatible smart card.
Wait for the driver to install automatically via Windows Update, or download it manually from the manufacturer's website.

Smart Card service not running

certutil -scinfo service not running error — certutil error when Smart Card service is stopped

Resolution

Open Services (Administrative Tools → Services), locate the Smart Card service, set its Startup type to Automatic and start it.

Check that the smart card can be used for logon

Key Usage

The Key Usage extension must contain at least one of: Key Encipherment, Data Encipherment, or Digital Signature.

Invalid Key Usage — Invalid — no suitable Key Usage value

Extended Key Usage

The Extended Key Usage extension must be absent, or contain at least one of: Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2) or Client Authentication (OID 1.3.6.1.5.5.7.3.2).

Invalid EKU — Invalid — EKU present but Smart Card Logon absent