FixMySignature — digital signature certificate consulting logoFixMySignature
PIV / Smart Card

PIV Card Troubleshooting for Federal Employees

A Personal Identity Verification (PIV) card is the federal government's standard smart-card credential under the FIPS 201 standard. When it works, you tap, enter a PIN, and you're in. When it doesn't, you're staring at "no valid certificates found" while a deadline ticks by.

This guide explains how PIV differs from CAC, what software you actually need, how to read the four certificates on the card, and how to fix the Group Policy and VPN conflicts that trip up agency and contractor laptops.

Zoom Book a remote session

Next available slot typically within 1 business day · Written report included

What is a PIV card?

PIV stands for Personal Identity Verification. It's defined by FIPS 201, a federal standard mandated by Homeland Security Presidential Directive 12 (HSPD-12). A PIV card carries PKI certificates and biometric data that let federal employees and contractors authenticate to systems, sign documents, and encrypt email using hardware-protected private keys.

Like a CAC, the private keys never leave the chip — the card proves your identity cryptographically without exposing anything that could be copied.

CAC vs PIV — what's the difference?

They're close cousins and share the same underlying smart-card technology, but they're issued by different parts of government for different populations.

CACPIV
Issued byDepartment of DefenseCivilian federal agencies
StandardDoD PKI (PIV-compatible)FIPS 201 / HSPD-12
Used byMilitary, DoD civilians, contractorsFederal civilian employees, contractors
MiddlewareActivClient, OpenSC, built-inWindows built-in, USAccess tools, OpenSC

Federal agencies that use PIV

  • General Services Administration (GSA) — runs the USAccess shared credentialing service.
  • Department of Homeland Security (DHS).
  • Department of Health and Human Services (HHS).
  • Department of the Interior, Treasury, Commerce, and most other civilian agencies.
  • Contractors supporting any of the above through their sponsoring agency.

Software you need

Windows 10 and 11 include a built-in PIV minidriver, so a standards-compliant PIV card often works with no extra software. Agencies that use the GSA USAccess program may provide their own middleware or activation tools. On personal or unmanaged machines, OpenSC is the reliable free option.

  • Windows built-in minidriver — usually enough for authentication and signing.
  • GSA USAccess / agency middleware — for agency-managed laptops.
  • OpenSC — free PKCS#11 module for Firefox, macOS, and Linux.
  • Agency root/intermediate certificates — must be installed so the chain validates (Federal Common Policy CA).

The four PIV certificates

A PIV card typically holds up to four certificates, each with a distinct job. Choosing the wrong one is a common reason a site rejects you.

  • PIV Authentication — proves your identity to log in to systems and websites.
  • Digital Signature — signs documents and email (non-repudiation).
  • Key Management / Encryption — decrypts encrypted email and files.
  • Card Authentication — used for physical access (door readers), not usually for web login.

Common error: "No valid certificates found"

This is the headline PIV error. It almost always means one of four things: the Smart Card service isn't running, the card's certificates haven't propagated into your personal store, the issuing CA chain isn't trusted, or the certificate you need has expired.

Get-Service SCardSvr, CertPropSvc | Select Name, Status, StartType
Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.HasPrivateKey }

Fix sequence

  • Open services.msc and confirm Smart Card (SCardSvr) and Certificate Propagation (CertPropSvc) are both Running and Automatic.
  • Reinsert the card and check certmgr.msc → Personal → Certificates for your PIV certificates.
  • Confirm the Federal Common Policy CA and your agency's intermediates are installed (Trusted Root / Intermediate stores).
  • Verify the certificate isn't expired — PIV certs are typically valid 3 years and reissued at card renewal.

Group Policy issues in agency environments

Managed agency laptops apply Group Policy that can directly affect smart-card behaviour. If a card works at home but not on the office network (or vice versa), Group Policy is a prime suspect.

  • "Allow certificates with no Extended Key Usage" — if disabled, otherwise-valid certs can be hidden.
  • Smart-card removal behaviour — policies that lock or log off the session when the card is removed.
  • Certificate-store restrictions that block self-installed roots.
  • Browser certificate allow-lists deployed via policy that suppress the certificate prompt.

VPN and PIV — common conflicts

PIV smart-card login and VPN clients frequently collide. Typical scenarios and remedies:

  • VPN demands certificate auth but doesn't see the PIV cert — ensure the VPN client is configured to use the Windows certificate store, not its own.
  • Card reader disconnects when the VPN tunnel resets — disable USB selective suspend in Power Options.
  • Multiple certificates offered and the VPN picks the wrong one — narrow the VPN profile to the PIV Authentication certificate.
  • Smart Card service restarts mid-session — set both SCardSvr and CertPropSvc to Automatic, not Manual.

Frequently asked questions

What middleware do I need for a PIV card?

On Windows 10/11, the built-in PIV minidriver usually handles authentication and signing with no extra software. For Firefox, macOS, or Linux, install OpenSC and load its PKCS#11 module. Agency-managed machines may supply GSA USAccess or vendor middleware.

Is PIV the same as CAC?

No, but they're closely related. Both are FIPS 201-style smart cards, but CAC is issued by the Department of Defense and PIV by civilian federal agencies. They use the same underlying technology, so the same readers and much of the same middleware work for both.

Why does my PIV card work at home but not at the office?

Almost always Group Policy. Managed agency networks push policies that affect smart-card certificate enumeration, removal behaviour, and trusted certificate stores. Compare the smart-card-related policies between the two environments, starting with the Smart Card service and EKU settings.

My PIV certificate expired — can I renew it remotely?

No. PIV certificate renewal happens through your agency's credentialing office (often via GSA USAccess), not on your computer. Remote support can confirm that expiry is the cause and get you working again once a new card or certificate is issued.

Related guides & services

CAC card troubleshootingCAC card not working on Windows 11Windows 11 smart card driver guideWindows smart card diagnosticsBook a remote session

PIV card still failing?

Group Policy, VPN, and certificate-store problems can be tricky to isolate alone. Get expert help on a remote session and we'll get your federal PIV credential authenticating again.

Book a remote session Zoom Schedule on Zoom

Independent consulting engagement — not affiliated with DocuSign, Adobe, Microsoft, or any certificate authority.

Call a Consultant