Symptom fingerprint
The exact strings, error codes, and UI surfaces that map to this issue:
| UI message | Surface | Code |
|---|---|---|
| No signing device was detected for this account | DocuSign 'Sign with Certificate' panel | — |
| Unable to load signing extension | Chrome/Edge toolbar notification | — |
| PIN attempts remaining: 0 | Vendor middleware tray icon | — |
What 'no signing device' really tells us
DocuSign reads tokens through two channels: the OS certificate store (CAPI on Windows, Keychain on macOS) for installed signing, and a small browser extension for the click-to-sign path on docusign.net. Either channel being broken produces 'no signing device' — fixing the wrong one wastes a session.
Windows vs macOS — what differs
Windows 10 / 11
- Certificate must be in Current User → Personal (CurrentUser\My). Local Machine → Personal is invisible to DocuSign.
- Smart Card and Certificate Propagation services must be Running.
- Vendor middleware tray icon should show the token as 'Inserted, Logged In' or equivalent.
macOS Sonoma / Sequoia
- Identity must be in the login keychain, not System. Drag-copy between keychains if needed.
- Run 'security find-identity -v -p smartcard' — empty output = OS not enumerating the token at all.
- macOS 14+ requires explicit SmartCard pairing on first insertion; check System Settings → Users → Smart Card.
Browser-specific behaviour
Chrome
DocuSign signing extension must be enabled at chrome://extensions; some enterprise allow-lists block it.
Edge
Same extension model; check edge://extensions and any tenant Managed Extensions policy.
Firefox
DocuSign's web flow works without an extension but requires the token's PKCS#11 module loaded in Firefox's Security Devices.
Safari
Safari uses the system Keychain; if the identity is missing from 'login', it will not appear in DocuSign even with the token inserted.
Diagnostic sequence
Run each step in order. Stop at the first failing expectation — that's where the root cause lives.
1. Confirm OS sees the token
Windows: certutil -scinfo · macOS: sc_auth identities
Expected: Token reader and at least one identity listed.
2. Confirm certificate is in user scope
Windows: Get-ChildItem Cert:\CurrentUser\My · macOS: security find-identity -v -p smartcard
Expected: Your signing certificate present with private key bound.
3. Confirm browser extension
Open chrome://extensions or edge://extensions
Expected: 'DocuSign Signing Extension' present and Enabled.
4. Check PIN-lock state
Open vendor middleware (SafeNet Authentication Client, IDPrime, ePass)
Expected: Token shows 'PIN attempts remaining: 3' or higher. Zero = blocked, requires PUK.
Frequently asked questions
What happens if I lock the PIN?
Most tokens block the PIN after 3 wrong attempts. Recovery requires the PUK (PIN Unblock Key) issued with the token at provisioning. Without the PUK, the token must be re-issued by the CA.
Can I export the certificate from the token?
No. The whole point of the token is that the private key is non-exportable hardware-bound. You can export the public certificate for trust setup, but the signing key stays on the device.
Why does DocuSign work on my laptop but not my desktop?
Different USB power profiles, different CAPI store scope (sometimes installed only to the laptop's user store), or one machine has the DocuSign extension installed and the other doesn't.
Need an independent diagnostic?
If these steps don't isolate the root cause inside your environment, an independent consultant can run a structured PKI diagnostic with you over a screen-shared session and deliver a written report identifying root cause, remediation, and — where relevant — the next responsible party (CA, internal IT, or software vendor).
Schedule a 30-minute certificate consulting session — $49Includes a written diagnostic summary. Independent consulting engagement — not affiliated with DocuSign, Adobe, or Microsoft.