Symptom fingerprint
The exact strings, error codes, and UI surfaces that map to this issue:
| UI message | Surface | Code |
|---|---|---|
| Your certificate could not be verified | DocuSign signing panel modal | — |
| No signing device was detected for this account | DocuSign 'Sign with Certificate' flyout | — |
| We were unable to validate your signing certificate | DocuSign envelope error toast | ERR_CERTIFICATE_VALIDATION |
What this error actually means
A DocuSign certificate error fires when the platform reads a credential from the signer's local store (Windows CAPI / macOS Keychain) but cannot complete one of three checks: the signing certificate is bound to a usable private key, the certificate chains to a CA DocuSign accepts, and the certificate is not revoked or time-skewed.
DocuSign token not recognized is the same symptom one layer earlier — the platform never sees a usable signing credential at all because the hardware token, its middleware, or the browser bridge is silent.
Almost every case resolves at the local environment level. CA-side problems exist but are rare and produce a different error class (envelope-level rather than client-level).
Likely causes — match the symptom
Before changing settings, match what you see to one of these conditions:
- Credential present but expired — the certificate passed its 'Not After' date.
- Token driver/middleware absent — Windows or macOS sees the USB device but not the PKCS#11 module behind it.
- Browser stale-state — Chrome/Edge cached a previous session and is not re-enumerating credentials.
- Wrong certificate store scope — installed under Local Machine on Windows (DocuSign reads Current User) or under System keychain on macOS instead of login.
- Clock skew — local clock differs from UTC by more than ~5 minutes, invalidating timestamp validation.
Windows vs macOS — what differs
Windows 10 / 11
- Tokens are exposed via Microsoft CAPI / CNG; middleware (SafeNet Authentication Client, Gemalto MiniDriver, ePass) bridges the USB device to CAPI.
- Certificate inspection: certmgr.msc → Personal → Certificates (Current User scope is what DocuSign reads).
- Smart Card service must be Running and set to Automatic (services.msc).
- Group Policy can hide the DocuSign signing extension — check Edge/Chrome managed extension policies.
macOS Sonoma / Sequoia
- Tokens are exposed via CryptoTokenKit; vendor middleware ships a .tokend bundle or installs a PKCS#11 module under /Library/Security/tokend or /usr/local/lib.
- Certificate inspection: Keychain Access → 'login' keychain → Certificates tab; private key must be present under 'My Certificates'.
- macOS Sonoma/Sequoia tightened SmartCard pairing — first insertion may prompt user pairing dialog that must be approved.
- Safari hands credentials to system Keychain only; Chrome on macOS uses its own NSS-style validation for some flows.
Browser-specific behaviour
Chrome
Uses CAPI on Windows for personal certs; clear 'Cookies and site data' for docusign.net only, then restart. Check chrome://settings/security for managed certificates.
Edge
Reads the same CAPI store as Chrome; if Edge is in Internet Explorer Mode for a tenant page, certificate enumeration changes — disable IE Mode for docusign.net.
Firefox
Maintains its own NSS store; load the token PKCS#11 module manually via about:preferences#privacy → Security Devices → Load.
Safari
Reads only the login Keychain; if the certificate is in the System keychain it will not appear in DocuSign — drag-copy to login.
Diagnostic sequence
Run each step in order. Stop at the first failing expectation — that's where the root cause lives.
1. Enumerate token slots
pkcs11-tool --module <vendor-pkcs11.dll | .dylib> --list-slots
Expected: At least one slot with a token present and a token label matching your device.
2. List certificates on the token
pkcs11-tool --module <...> --list-objects --type cert
Expected: One or more X.509 entries with non-empty 'label' and 'id'.
3. Verify chain (Windows)
certutil -verify -urlfetch <exported.cer>
Expected: ChainContext.dwRevocationFreshnessTime > 0 and 'Verified Issuance Policies: None' or matching policy — no 'CERT_TRUST_*' bit flags set.
4. Verify identity (macOS)
security find-identity -v -p smartcard
Expected: Identity row showing your name and 'valid identities found: 1' or more.
5. Check clock
w32tm /query /status (Windows) · sntp -sS time.apple.com (macOS)
Expected: Offset < 5 seconds from authoritative source.
Frequently asked questions
Why does DocuSign see my certificate in Chrome but not in Edge?
Both browsers read CAPI on Windows, but Edge's IE Mode or a tenant-deployed extension allow-list can suppress DocuSign's signing bridge. Disable IE Mode for docusign.net in edge://settings/defaultbrowser and re-test.
Does DocuSign work with macOS Sonoma's tightened SmartCard pairing?
Yes, but the first insertion triggers a pairing prompt that must be approved by the logged-in user. If the prompt was dismissed, run 'sc_auth list' to see paired identities and 'sc_auth pair -u <user> -h <hash>' to re-pair.
Is 'token not recognized' ever a DocuSign-side outage?
Almost never. DocuSign-side issues surface as envelope errors (5xx, envelope ID in the message). Client-side 'no signing device' is environmental in 95%+ of cases we diagnose.
Can I sign in DocuSign with a self-signed certificate?
No. DocuSign Signing Service requires a certificate chaining to a CA on its trust list (DocuSign-issued, IdenTrust, Entrust, GlobalSign, and select others). A self-signed credential will enumerate but fail at envelope submission.
Related services
Explore the consulting hub for this issue, or review session pricing.
Still seeing this error?
If these steps don't isolate the root cause inside your environment, an independent consultant can run a structured PKI diagnostic with you over a screen-shared session and deliver a written report identifying root cause, remediation, and — where relevant — the next responsible party (CA, internal IT, or software vendor).
Book a $49 Zoom diagnostic →Includes a written diagnostic summary. Independent consulting engagement — not affiliated with DocuSign, Adobe, or Microsoft.