Certificate Login Errors

Certificate Login Errors

For sites that support or require PKI authentication, users sometimes encounter errors with related to presenting certificates. The DoD Cyber Exchange site has good information on getting started with PKI/PKE.

Configuring Browsers

Instructions for configuring your browser to use PKI.

Trusted Sites

Some Windows users are able to resolve certificates and/or TLS connection isues by adding the site to the Trusted Sites list in the browser.

Make sure your CAC is inserted

It can and does happen! If you are attempting to connect with a CAC, please make sure that it is inserted and readable by your operating system.

Bad Password/Locked CAC

If you mistype the PIN or password on a soft certificate, the certificate does not get sent over and you will not be able to login.

DoD issued Common Access Cards (CACs) are designed to lock after three incorrect PIN entries. In some operating system/browser combinations it is not clear that the CAC is locked when being presented in the browser. To check if a CAC is locked, try unlocking the CAC via the local certificate middleware (e.g. ActiveClient on Windows or Keychain.app on Mac OS).

Missing Certificate

  • Usually appears as: "No Client Certificate was found in your browser"

If you are presented with an error message in your browser that states "no client certificate found", or if the certificate selection dialog does not display the desired certificate, the most likey issue is a misconfiguration of the Operating System or Browser. Please see the sections below for possible solutions:

  • Configuring Browsers
  • Supported Certificate
  • Locked CAC
  • Cross Certificate Issue *Try this one if the browser appears to be configured correctly

Wrong Certificate

If you experiencing issues with a mismatched certificate when attempting to login to CONS3RT, you may have to empty your browser cache. On Mac OSX, hold down command-shift-r and then restart your browser. If the issue persists, please email the support team at support@cons3rt.com.

Supported Certificates

Only supported certificate issuers are authorized by for use in DoD sites. These include DoD CAC, DoD External Certificate Authority (ECA) and DoD Interoperability Providers. In HmC, MITRE credentials are also supported. If the credential is not in the approved list, it will not appear as an option.

Cross Certificate Issue

Occasionally, certificate configurations on Windows systems can become unusable, typically (but not always) when a user is issued new credentials from a different Certificate Authority (CA). This is a known issue that looks like the browser is presenting a certificate to the website, but really is not. This issue can be fixed by running the Cross Certificate Removal Tool.