Kindloading790

-->

This article provides a solution to an error that occurs when you insert a smart card in a reader.

1. Buy, sell, and trade Bitcoin (BTC), Ethereum (ETH), TRON (TRX), Tether (USDT), and the best altcoins on the market with the legendary crypto exchange.
2. We believe in hybrid solutions. Everyone likes physical items - like tokens - but the digital world is so deeply integrated in our daily lives that we can’t live without it. Combining the physical with the digital offers the consumer the best of both worlds: the token is the key to a digital experience.

Get more done with the new Google Chrome. A more simple, secure, and faster web browser than ever, with Google’s smarts built-in.

Original product version: Windows 7 Service Pack 1, Windows Server 2012 R2
Original KB number: 976832

Symptoms

When you insert a smart card into a smart card reader, Windows tries to download and install the smart card minidrivers for the card through Plug and Play services. If the driver for the smart card is not available at any of the preconfigured locations, such as Windows Update, WSUS, or intranet paths, and a custom Crypto service provider is not already installed on the system, you receive the following error message in the notification area:

Device driver software was not successfully installed

Click here for details.

This error message disappears after several seconds.

Additionally, in Device Manager, under Other devices, the Smart Card device has a status of DNF (Driver not found).

This frequently requires the user to obtain one of the following items from the smart card issuer to resolve this error:

1. A Windows logged smart card minidriver.
2. A custom cryptographic service provider (CSP) for the Smart card.
3. A Windows non-logoed smart card minidriver.
4. Other middleware such as an ActiveX control, PKCS#11 software, or other custom software.

However, if the user is provided with only item 3 or 4 from this list, the smart card continues to work on the system. However, the user will receive the error message that is mentioned in this section every time that they insert the smart card.

This issue affects all releases of Windows 7, Windows Server 2008 R2, and in later versions of both operating systems.

Cause

All smart cards require additional software to work in Windows unless there is an inbox driver that lets the user use the card without installing additional software. The Windows Smart Card Framework was improved in Windows 7 to enable the automatic downloading of smart card minidrivers from Windows Update or from other similar locations such as a WSUS server when the smart card is inserted into the reader. All smart cards that successfully pass the logo requirements, as published by the Windows Logo Program, benefit from this feature.

However, if the software that is required to use a smart card in Windows is not logoed or is of a type that differs from a minidriver, such as a PKCS#11 driver, a custom CSP, middleware, or an ActiveX control, the automatic download option fails because Microsoft certifies only smart card minidrivers. Therefore, if the user inserts a card for which a custom CSP is not already registered, the user receives an error message that states that the driver software is missing for the smart card device even though the user can use the smart card through additional software that was installed on the user's computer from a custom installation.

Resolution

Although the smart cards continue to work despite the error message that the user sees, a smart card issuer, vendor, or manufacturer can use one of the following methods to resolve this error.

Implement a smart card minidriver

We recommend that card issuers, vendors, and manufacturers implement smart card minidrivers and participate in the Windows Logo Program to benefit from the improvements that are introduced in the platform such as Smart Card Plug and Play, Device Stage for Smart Cards, and so on.

Implement a NULL driver for your smart card

If custom software such a PKCS#11 driver, an ActiveX control, or some other middleware is required to enable the use of smart card on Windows, and implementing a smart card minidriver or a custom CSP is not a practical option, we recommend that card issuers, vendors, or manufacturers consider submitting NULL drivers to Windows Update. The typical process for making sure that a NULL driver is available on Windows Update requires a successful unclassified device submission through Winqual. If in the future, there is a minidriver available for these cards, the new driver can be uploaded to Windows Update by participating in the Windows Logo Program. The NULL drivers can then be manually downloaded by the end users or can made available by using optional updates.

The following is a sample template for a NULL driver for a smart card.

To generate the hardware device ID that is referenced by the DEVICE_ID string in the sample, follow the instructions in the smart card minidriver's specification.

Download Parsley Smart Token (com3) Drivers

For detailed information about how to submit a NULL driver to Microsoft, please contact Microsoft Customer Support Services.

Disable Smart Card Plug and Play through Group Policy for managed computers

This option is recommended only for enterprise deployments where the computers are managed by administrators and all the necessary software to work with the smart cards that are being used in the enterprise is installed by using software management tools such as SMS.

This procedure is discouraged in the following environments because it will affect all the smart cards in your environment:

• Commercial deployments that target end-users, such as online banking.
• Environments that include both Plug and Play smart cards and non-Plug and Play smart cards that use Group Policy to disable Plug and Play for smart cards.

Smart Card Plug and Play can be disabled in enterprises where the end user's computer is managed by mechanisms such as Group Policy.

Download Parsley Smart Token (com3) Driver Windows 7

If your deployment uses only non-Plug and Play smart card solutions, Smart Card Plug and Play can be disabled by a local administrator on a client computer. Disabling Smart Card Plug and Play prevents smart card drivers, also known as smart card minidrivers, from downloading. It also prevents Smart Card Plug and Play prompts.

To disable Smart Card Plug and Play in local Group Policy, follow these steps:

1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

2. In the console tree under Computer Configuration, click Administrative Templates.

3. In the details pane, double-click Windows Components, and then double-click Smart Card.

4. Right-click Turn on Smart Card Plug and Play service, and then click Edit.

5. Click Disabled, and then click OK.

Change the end user's system and disable Smart Card Plug and Play for specific cards

This is the least-recommended option. You should use this option only if the cards are legacy cards and there are no plans to implement smart card minidrivers in future. This option requires that the existing software that is already installed on the system notify Windows that there is a custom CSP installed on the system even though no such CSP exists on the end-user system. As soon as Windows determines that there is a custom CSP already installed on the system, Windows does not try to download and install a driver through Smart Card Plug and Play. No device node for the smart card device is created that is visible in Device Manager. This option results in the following changes to the system registry:

Subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyCalaisSmartCards<Smart card name>

Subkey registry entries:

• ATR=Hexadecimal DWORD: Comma delimited ATR of the smart card.

• ATRMask= Hexadecimal DWORD: Comma delimited mask to apply to the ATR to mask out insignificant bytes in the ATR.

• Crypto Provider=String value: Some string relevant to your smart card.

For example:

Subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyCalaisSmartCardsFabrikam ATM card

Subkey registry entries:

• ATR=Hexadecimal DWORD: 3b,dc,13,00,40,3a,49,54,47,5f,4d,53,43,53,50,5f,56,32
• ATRMask= Hexadecimal DWORD: ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
• Crypto Provider=String value: Fabrikam ATM Dummy Provider

For x64-bit systems, identical changes must be made under the following subkey: HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftCryptographyCalaisSmartCards

We recommend that, instead of directly changing the system registry, you use WinSCard APIs to introduce these changes to the system. Here is sample code example that detects smart card insertion and then disables Smart Card Plug and Play for the particular card by creating a registry entry that associates the card with a non-existing provider.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

References

For more information about troubleshooting smart card Plug and Play issues, see Smart Card Troubleshooting Guide.

Signing Windows Programs with SignTool

Microsoft is changing the process for signing your kernel-mode driver packages
Starting in 2021, Microsoft will be the sole provider of production kernel-mode code signatures. You will need to start following Microsoft’s updated instructions to sign any new kernel-mode driver packages going forward. To lean more, see our knowledge base article—Microsoft sunsetting support for cross-signed root certificates with kernel-mode signing capabilities.

Prepare Your Standard Code Signing Certificate

If you purchased a Microsoft Authenticode, code signing certificate and also want to use it to sign Windows drivers, there's some good news and bad news for you. First, the bad news: your current code signing certificate won't work for that. Now, the good news: you can reissue your Authenticode, code signing certificate to get a Driver Signing, code signing certificate.

Reissue Your Code Signing Certificate

1. In your CertCentral account, in the left main menu, click Certificate > Orders.

2. On the Manage Your Code Signing – Order # page, under Reissue Actions, click Re-Key Your Certificate link.

3. On the Orders page, click the order number link for the Code Signing certificate you want to reissue.

4. On the Order details page, in the Certificate Actions dropdown, select Reissue Certificate.

5. Add Your CSR

   Upload or paste your CSR in the Add Your CSR box.

   The Sun Java Platform is the only platform that requires you to submit a CSR with your request; for all other platforms, submitting a CSR is optional.

6. Signature Hash

   In the dropdown, select a signature hash for the certificate: SHA-256 or SHA-1.

7. Server Platform

   Select Microsoft Kernel-Mode Code.

8. Reason for Reissue

   Specify the reason for the certificate reissue.

9. Click Request Reissue.

10. If an approval for CS certificate reissue is required, the CS verified contact for the organization is sent an email informing them that they need to approve the certificate reissue request. Once we receive their approval, we'll reissue your Code Signing certificate.

11. We will send a copy of the reissued CS certificate via email.

    The subject line of the email is Reissue Your DigiCert Code Signing Certificate (Order #). The email contains a link that lets you reissue and install your Code Signing Certificate.

    You can also download a copy of the reissued certificate from your CertCentral account on the CS certificate's Order details page.

Install Your Kernel-Mode Code Signing Certificate

After you purchase a standard code signing certificate, DigiCert validates your information and sends you an email that contains a link to install your kernel-mode certificate.

1. On the computer you want to install the certificate to, open the installation link from your DigiCert email (subject line: Reissue Your DigiCert Code Signing Certificate (Order #)) in Internet Explorer or Safari*.

   When you open the link, the certificate is installed to the current user's personal certificate store for Windows and can be used by the WDK tools for signing drivers.

   Browser Note*: Currently, only Microsoft Internet Explorer and Apple Safari support CSR generation needed for code signing certificate installation. If company policy requires the use of Firefox, you can use Firefox ESR or a portable copy of Firefox. For more information, see our knowledge base article Keygen support to be dropped with Firefox 69.

2. Next, download the DigiCert Code Signing Cross-Certificate.

Download the Code Signing Cross-Certificate

Before you can use Signtool to sign applications, you need to download the DigiCert Code Signing Cross-Certificate on the computer where you installed your Code Signing Certificate. You will need to specify this certificate in Signtool.

Click here to download the DigiCert Code Signing Cross-Certificate.

Prepare to Sign Code by Installing the Windows SDK

In order to use SignTool.exe to sign your application, you need to either install Microsoft Visual Studio 2005 (or later), or on the machine where you will be signing code, download and install one of the following versions of Microsoft Windows SDK:

If you have the Windows SDK 6.0 or lower on Windows Vista, you can use the SignTool Digital Signature Wizard GUI interface. All new versions of the Windows SDK (7 and newer) require you to use the command line instructions below.

Internet Explorer for Windows

When you use Internet Explorer on a Windows machine to install your code signing certificate, the certificate will be accessible in the Windows Certificate Store.

Download Parsley Smart Token (com3) Driver Installer

If you have multiple Code Signing Certificates in your Windows Certificate Store, the commands in this instruction will sign your application with 'the best' one, which may not be the correct one. You can use the next signtool command to sign your program with a specific certificate or use some of the other options in the SignTool documentation.

If you only have one Code Signing Certificate on your machine, do one of the following options:

Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

Download Parsley Smart Token (com3) Driver Download

When using SHA2 for signing, make sure to use the latest version of signtool (6.3 or later) to avoid errors.

1. In the Windows command prompt, enter the command below.

   signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a 'c:pathtofile.exe'

2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

   c:Code>signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a Setup.exe
Done Adding Additional Store
Successfully signed and timestamped: Setup.exe

Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp

1. In the Windows command prompt, enter the command below.

   signtool sign /t http://timestamp.digicert.com /a 'c:pathtofile.exe'

2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

   c:Code>signtool sign /t http://timestamp.digicert.com /a Setup.exe
Done Adding Additional Store
Successfully signed and timestamped: Setup.exe

Firefox (or Another Browser) or Operating System

If you installed your Code Signing Certificate in Firefox (or another browser) or another operating system such as Mac OS X, do the following:

1. Export the certificate as a .PKCS#12 (.pfx or .p12) file.

2. Once you have the code signing certificate saved as a PKCS#12 on your machine, do one of the following options from a Windows operating system:

   1. Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

      When using SHA2 for signing, make sure to use the latest version of signtool (6.3 or later) to avoid errors.

      1. Enter the following command:

         signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f 'c:pathtomycert.pfx' /p pfxpassword 'c:pathtofile.exe'

      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

         c:Code>signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f mycert.pfx /p test Setup.exe
Done Adding Additional Store
Successfully signed and timestamped: Setup.exe

   2. Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp

      1. Enter the following command:

         signtool sign /t http://timestamp.digicert.com /f 'c:pathtomycert.pfx' /p pfxpassword 'c:pathtofile.exe'

      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

         c:Code>signtool sign /t http://timestamp.digicert.com /td sha256 /fd sha256 /f mycert.pfx /p test Setup.exe
Done Adding Additional Store
Successfully signed and timestamped: Setup.exe

Verify the digital signature

You can verify that your application is now signed by right clicking on it and clicking Properties. On the Digital Signatures tab (if it exists), you can view the signing certificate and timestamp.

Additional Information

Using the hash value of a Code Signing Certificate is another way to let signtool know which Code Signing Certificate to use.

If you have multiple certificates installed in your Personal Certificate store, it may be better to use the /sha1 option to specify the hash value of the Code Signing Certificate instead of using /a or /f 'c:pathtomycert.pfx' /p pfxpassword in the signing command.

In this case, you would be using the thumbprint value of your Code Signing Certificate. You must remove all spaces from the thumbprint value; if you do not, it won’t work. You can also use our DigiCert Utility to easily get the thumbprint.

1. Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp:

   Enter the following command:

   signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 [thumbprint] file.exe

2. Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp:

   Enter the following command:

   signtool sign /t http://timestamp.digicert.com /sha1 [thumbprint] file.exe

For more information on the different signtool.exe options, see Microsoft's SignTool Documentation.

If you need to dual sign your files, see Dual Signing with SHA256 and SHA1 Standard Code Signing Certificates or Dual Signing with SHA256 and SHA1 EV Code Signing Certificates.

Get code signing certificates for just $474/year