An analysis of the questions that are the most frequently asked to our technical support shows that many issues and concerns are due to the settings or the behaviour of Windows operating system itself.
This is particularly the case in security-enforced corporate environments, where strict administrative policies may prevent the user to install the right driver, or even prevent the applications to access local smart card readers.
The fact that Windows raises a couple of notifications (“Setting up a device”, then “The smart card requires drivers that are not present on this system”) every time a card is inserted in a PC/SC reader for the first time is also the source of many questions, that this article will address.
More than that, most users don’t understand why all the cards are connected automatically by a ‘phantom’ process for about one second following their insertion before being made available to their primary application.
Even if all these issues are not specifically related to SpringCard couplers or drivers (any other smart card reader would lead to the same observations), we’ve created PcscCheck, an automated ‘check list’ that validates the computer’s PC/SC sub-system and allows to switch the key parameters in no time, for a better user experience with smart cards on Windows.
Getting started with PcscCheck
Download PcscCheck for your computer
SpringCard PcscCheck is a portable application that works immediately after downloading from any location (no setup to run, no ZIP to extract).
The only dependency is the .NET 4.8 runtime, that is installed by default since Windows 10 v1903, and should have been installed through Windows Update over all today’s systems.
Find the right version here:
- SpringCard PcscCheck64 for Windows 64 bits
- SpringCard PcscCheck32 for Windows 32 bits
Tip: if you don’t know whether your system is 64 bits or 32 bits, try the version for 64 bits first. Try the version for 32 bits only if the system says “This is not a valid win32 application”.
Your first diagnostic
PcscCheck performs a series of diagnostics and displays the result immediately.
One of the diagnostic is trying to communicate with a smart card through a SCardTransmit API call. If we don’t have any card inserted in any reader, the sofware says “Unable to run SCardTransmit test” and concludes “Some tests have not been run”:
Let’s insert a smart card in any of the SpringCard readers (this may be any supported NFC/RFID card in the Contactless slot, any ISO/IEC 7816 smart card in the Contact slot, or any ID-000 SIM/SAM smart card in one of the SAM slots) and run the diagnostics again. PcscCheck now confirms that everything is fine:
Identify and troubleshoot common issues
PC/SC service not running
This is an error that may arrive in some very-restricted corporate environments. When the PC/SC service is not running, all PC/SC readers are useless.
If the message “The Smart Card service is disabled or its configuration is invalid” appears, please contact your IT staff and have them re-enable the Smart Card service (SCardSvr) in their global policies.
For advanced users
If you own the computer personnaly or if you have the right to change Windows’ deep configuration, click the Admin mode button. Confirm you are allowed to go further by confirming the UAC prompt or login as an administrator.
Once PcscCheck has restarted in admin mode, click Advanced.
Click the Smart Card service: set startup type to Automatic link, wait for confirmation, and restart the computer.
PC/SC service not configured to start with the system
On a default installation, the PC/SC service starts only when an application tries to access PC/SC resources. This is generally not an issue, but starting the PC/SC with Windows (and before the applications) is highly recommended when operating SpringCard network or Bluetooth readers through the SpringCard PC/SC Bridge driver, or when the SpringCard Companion Service is used.
If the message “The Smart Card service is not configured to start automatically” appears, please contact your IT staff and have them set the startup type of the Smart Card service (SCardSvr) to “automatic” in their global policies or through an administrative task.
For advanced users
If you own the computer personnaly or if you have the right to change Windows’ deep configuration, click the Admin mode button. Confirm you are allowed to go further by confirming the UAC prompt or login as an administrator.
Once PcscCheck has restarted in admin mode, click Advanced.
Click the Smart Card service: set startup type to Automatic link and wait for confirmation. You don’t have to restart the computer.
You may restore the initial configuration later on, using the Restore Smart Card service’s default configuration link.
USB PC/SC couplers associated to the wrong driver
Detailed article: how to be sure that the SpringCard PC/SC driver is installed?
Disable the Certificate Propagation service for a better user experience
Old article on the same problem on earlier versions of Windows: Windows 7 complains on missing driver for smartcards.
Windows Certificate Propagation service (CertPropSvc) is the ‘phantom’ process that is guilty of trying to install a driver to every smart card (raising an error notification for all smart cards that have no driver — and they are many) and guilty of connecting to every smart card upon every insertion.
Because it generally creates a bad user experience when working with smart cards or slow downs the user’s operations, PcscCheck shows a warning when this service is running and advices to disable it.
More than that, most advanced smart card testing tools (used for validating the readers, or the cards, or the applications, or everything all together) fail to run correctly when this service is running (this is for instance the case of NXP Card Test Framework).
What is the role of this Certificate Propagation service?
The Certificate Propagation service (CertPropSvc) is the gateway between smart cards and Windows’ cryptographic services.
Namely, the Certicate Propagation service handles all the smart cards that support PKI (private key infrastructure) and PKCS#11 (a standard API to create and manipulate cryptographic tokens), enumerates the certificates they contain, and adds them to Windows Certificate Store. This allows the system to take benefit of such cards for the following use cases:
- To open Windows session (smart card sign-in) or in the context of a single-sign on solution (SSO),
- To connect to a remote service, to a web site that expects a client certificate,
- To compute digital signatures, to sign a document or a software.
Suppliers of compatible cards and card applets are supposed to provide their driver (actually, a mini-driver) to make the link between the Certificate Propagation service and the actual implementation in the card. That’s why Windows tries to locate a driver for all the smart cards when this service is active.
When the card does not have a driver, the Certificate Propagation service ends up using its default driver, which connects to the card and issues sequences of ISO/IEC 7816-4 SELECT commands, still with the hope of locating an X509 certificate in one of the card’s applications, directories and files. That’s why the card is connected for some time, until this default driver eventually gives up.
Is it safe to disable the Certificate Propagation service?
If you and your organisation don’t use (and don’t plan to use) smart card sign-in, SSO solutions, smart card-based client authentification or digital signature, you may disable the Certificate Propagation service with no practical consequence on your workflow.
Doing so, only ‘your’ application(s) will ever access to the smart cards. No ‘phantom’ process anymore interfering with your work!
Of course, you must keep the Certificate Propagation service enabled in all other situations:
- When your organisation is using smart card sign-in to open Windows session (either locally or to a remote desktop server), when your organisation is using a SSO solution that relies on smart cards to authenticate the users,
- When you have to connect to remote applications or web sites using your eID card, your PIV card (employees and contractor of the US federal government, FIPS 201) or any card provided by your bank, your government or any service-supplier as a login credential,
- When your job involves digitally signing documents, when you are a developers and digitally sign your applications.
Important!
Pay attention that a lot of smart cards don’t look like a smart card at all!
All the USB tokens used in SSO solutions or to compute digital signature are actually the combination of a smart card chip (in the form of a small electronic part) with its dedicated reader.
They don’t look like a smart card and a smart card reader, but technically speaking, they are. They won’t work if the Certificate Propagation service is disabled.
Using PcscCheck to disable the Certificate Propagation service
If you’re sure that you may safely disable Certificate Propagation service in your context, you may do so directly using PcscCheck.
For advanced users
If you own the computer personnaly or if you have the right to change Windows’ deep configuration, click the Admin mode button. Confirm you are allowed to go further by confirming the UAC prompt or login as an administrator.
Once PcscCheck has restarted in admin mode, click Advanced.
Click the Certificate Propagation service: set startup type to Disabled link and wait for confirmation. You don’t have to restart the computer.
You may restore the initial configuration later on, using the Restore Certificate Propagation service’s default configuration link.