Smart card PIN prompt does not display

If no PIN prompt is shown when a smart card is inserted, and you have verified that smart card support is enabled through the Centrify Smart Card Assistant, and the smart card certificates appear in Keychain Access and are all fully trusted, perform the procedure described in this section.

Starting with release 10.7, Mac OS X does not ship with the configuration file (/Library/Preferences/com.apple.security.revocation) that holds the system-wide certificate revocation settings. The login window behavior when a smart card is inserted is dependent on this file. When the file is missing, no PIN prompt will be shown.

Note:   The Smart Card Assistant will show all settings as “Off” when this file is missing, which might not be the actual state of the configuration.

  1. Execute the following command in a terminal window to check whether the configuration file is present:

    sudo defaults read /Library/Preferences/com.apple.security.revocation

    If the configuration file is not present, the following message is shown:

    Domain com.apple.security.revocation.plist does not exist 
  2. Generate the configuration file by manually applying a change in the Smart Card Assistant, or by executing the following command in a terminal window:

    sudo sctool -r -t ocsp:none -t crl:best -p crl
  3. Rerun the command from Step 1 to verify that the file was generated. You should now see results similar to the following:

    {
     CRLStyle = BestAttempt;
     CRLSufficientPerCert = 1;
     OCSPStyle = None; 
     OCSPSufficientPerCert = 1;
     Revocation = CRL;
    }
    
  4. If the PIN prompt still does not appear when you insert a smart card, in the Smart Card Assistant set Certificate Revocation List (CRL) checking to Off and test again.

    If the PIN prompt appears when CRL checking is Off, but not when set to Best Attempt, the CRL in the environment has expired.

    Update to a valid CRL and set CRL checking back to Best Attempt.

    Note:   CRL behavior on Mac differs from that on Windows, in which the smart card is still accepted even if the CRL has expired.

  5. In the Smart Card Assistant, it is recommended that you keep the Online Certificate Status Protocol (OCSP) setting of Off. Settings other than Off can cause the PIN to not be shown again.

  6. If you performed this procedure as part of the overall smart card diagnostic procedure, return to Diagnosing smart card log in problems and continue from there.