0XC000038D

Fix STATUS_SMARTCARD_CERT_EXPIRED (0xC000038D) - expired smart card cert

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 28, 2026

Your smart card cert expired. Renew it or check the system clock. Also make sure the CA cert chain's still valid—that's the sneaky one.

Quick answer

Renew the smart card's client certificate, then verify the CA certificate chain hasn't expired — if the root CA expired, nothing works until it's republished.

What's going on here

You're hitting STATUS_SMARTCARD_CERT_EXPIRED (0xC000038D) because the X.509 certificate on your smart card is past its valid-to date. Most smart card certs are issued for 1–3 years. When they expire, Windows won't use them for domain login, VPN authentication, or signing. I'd a client last month — a hospital network — where half the nursing staff couldn't log in because their badge certs expired overnight. The fix was straightforward: re-enroll from the CA. But sometimes the real culprit is the issuing CA's own certificate expired, which invalidates the smart card cert's chain. That's the gotcha that wastes hours.

The error shows up as a login denial, event ID 4769 or 4771 in Security logs, or a VPN rejection saying "0xC000038D." The system clock mismatch can also trigger it, but that's less common on domain-joined machines with NTP synced. I'll walk you through what actually works.

Step-by-step fix

  1. Check the smart card cert's expiry date
    Plug in the smart card reader. Open an admin PowerShell and run:
    certutil -scinfo -silent
    Look for the NotAfter field. If it's in the past, the cert is dead. You'll need to re-enroll.
  2. Renew the certificate
    If your organization uses auto-enrollment, it might have already failed silently. Force a manual re-enroll:
    1. Open the Certificates snap-in (run certmgr.msc)
    2. Browse to Personal > Certificates
    3. Find the smart card cert (usually issued to your username)
    4. Right-click > All Tasks > Request New Certificate
    5. Select the smart card enrollment template (often named "Smartcard User" or "Smartcard Logon")
    6. Complete the wizard. The new cert will be written to the card if the card supports it.
    If the card is locked or can't be updated, you'll need to re-issue a physical smart card from IT.
  3. Verify the CA certificate chain
    The smart card cert must chain up to a trusted root CA that hasn't expired. Run:
    certutil -verifystore Root
    Look for any CA cert with NotAfter before today. If your issuing CA's cert expired, no smart card cert it issued will validate. You'll need to renew the CA cert and republish the CRL — that's a bigger job that your PKI admin handles.
  4. Check the system clock
    Even if the cert is valid, a skewed clock can make Windows think it's expired. On the client machine, run:
    w32tm /query /status
    If the time's off by more than 5 minutes, sync it:
    w32tm /resync
    If it fails, check NTP configuration in regedit at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer.
  5. Test the smart card driver and reader
    Rare, but a flaky driver can corrupt certificate reads. Open Device Manager, expand Smart card readers, right-click the reader, and update driver. Restart the machine. Then re-run certutil -scinfo to confirm the cert reads correctly.

Alternative fixes if the main steps don't work

  • Crash the CRL check — If the CRL distribution point is unreachable (common in firewalled networks), Windows can fail hard. Try enabling CRL checking to 2 (allow offline CRL) via Group Policy at Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings. Set it to Define these policy settings and enable Allow online CRL checking.
  • Use a different smart card reader — I've seen cheap USB readers fail to read the cert properly. Swap to a known-good one (like a USB contactless reader from Identiv) and retry.
  • Check the card's physical condition — If the chip is damaged, the OS may report a cert error even if the cert's fine. Try the same card in a different reader or machine. If it fails everywhere, the card's hardware is dead.

Prevention tip

Set up a scheduled task or monitoring that checks cert expiry 30 days before the NotAfter date. Use certutil -scinfo -silent | find "NotAfter" in a script that emails the helpdesk. Most enterprise PKI setups have auto-enrollment with renewal at 20% of lifetime, but if your CA is misconfigured, the cert won't auto-renew. Manually testing renewal on one card every quarter will catch that.

Also — and I can't stress this enough — keep your CA's root certificate valid. Every time I see a widespread smart card login failure, it's usually a root CA that expired because nobody wrote the renewal date on a calendar. Set that renewal as a high-priority ticket with a 6-month lead time.

Was this solution helpful?

STATUS_SMARTCARD_CERT_EXPIRED 0xC000038D smart card cert expired smart card authentication failed renew smart card certificate CA cert chain expired Windows smart card error domain login smart card expired certificate renewal smart card smart card driver issue clock sync smart card certutil check smart card smart card cert expiry fix enterprise PKI smart card smart card authentication failure