This article explains troubleshooting steps that can be taken when Smart Card Validation is failing with the following error message:
Certificate Validation failed. Try again by quitting the browser then selecting another certificate.
Steps to reproduce the issue:
- Access the Okta login page and select Sign in with PIV/CAC Card.
- Select the Certificate from the list and enter the PIN to unlock it. If clicking on the certificate, see the Certificate status in the second part of the screen prompt.
- Then, check the validity of the certificate:
- Everything seems to be okay, but when trying to log in, the error Certificate Validation failed. Try again by quitting the browser then selecting another certificate is received.
- Okta Classic Engine
- PIV / CAC Card
- Smart Card Validation
To resolve this issue:
-
Rekey or reissue the certificate:
-
Rekeying a certificate generates a new key and certificate with the same name and expiration date as a previously purchased certificate. Rekeys are free and can be used if a key has been lost or compromised. HOSTNAME is the name of an active certificate on the account that is required to be reissued.
-
-
Install the correct and complete chain:
-
If using a 3rd party CA please contact them and provide the correct chain. Make sure it is updated. Sometimes they revoke the chain and provide a new chain that invalidates the end user login.
-
- Validate that the Serial Number and Expiration date are still valid.
- Ensure that the correct chain is uploaded to Okta under Security > Identity Providers > Select the name of the IdP > Actions and click Edit > Configure.... > Under Certificate chain, click Edit > Browse and select the new chain.
