SEC_E_SMARTCARD_CERT_EXPIRED (0X80090355) Fix

I know this error is infuriating—you're sitting there with your smart card inserted, and Windows just refuses to log you in. The good news is it's almost always a certificate issue you can fix without calling your admin.

Quick Fix: Force Cert Renewal via Command Line

The fastest way out of this mess is to renew the user certificate on the smart card. Here's the command that works on Windows 10 22H2 and Windows 11 23H2:

1. Open Command Prompt as Administrator (right-click Start -> Command Prompt (Admin)).
2. Run this to force a certificate renewal from Active Directory Certificate Services:

certreq -new -q -config "CA-SERVER\CA-NAME" request.inf request.cer

Replace CA-SERVER\CA-NAME with your actual CA server and name—you can find these by running certutil -config -ping first. If that sounds cryptic, check the next method.

Alternative: Use Certlm.msc to Renew Manually

If the command line gives you the creeps (it shouldn't, but okay), use the graphical tool:

1. Press Win + R, type certlm.msc, hit Enter.
2. Expand Personal -> Certificates.
3. Find your expired smart card certificate (look for the red X icon).
4. Right-click it -> All Tasks -> Request New Certificate.
5. Follow the wizard, choose the same template (usually "Smartcard Logon" or "Authentication"), and enroll.

After that, remove and reinsert the smart card. Try logging in again. Nine times out of ten, that's the end of it.

Why This Works

This error pops up when the certificate stored on your smart card has passed its expiration date. Smart card certificates are issued by your organization's CA (Certificate Authority) and have a validity period—typically 1-3 years. Once that date hits, Windows refuses to authenticate using it. The fix above requests a fresh certificate from the CA and writes it to the smart card's file system (usually the Certificate object in the card's applet). The card itself isn't broken; the cert just expired.

Less Common Variations

1. Domain Controller's Cert Expired

If the error shows up when accessing a network resource (like a file share or RDP), the problem might be the server's certificate, not your smart card. Check the server's cert in certlm.msc on the DC. If it's expired, renew it there.

2. User Principal Name (UPN) Mismatch

Sometimes the cert renews but the UPN in the certificate doesn't match the user's Active Directory UPN. Run certutil -reqcert and compare the Subject field to the user's UPN in ADUC. If they mismatch, you'll need to re-enroll with the correct template that includes the UPN.

3. Group Policy Blocking Renewal

Some workplaces have a Group Policy that blocks automatic certificate enrollment. If the renewal fails silently, check event logs (Application and Services -> Microsoft -> Windows -> CertificateServices -> Client-Lifecycle-System). Look for Event ID 1006—that means the CA refused the request. You'll likely need to contact your help desk to add your machine to the allowed list.

4. Smart Card Reader Driver Issues

Rare, but I've seen it on older laptops with USB-CCID readers. If the card works on another machine but not yours, update the reader driver via Device Manager (under Smart Card Readers). Uninstall it, reboot, and let Windows reinstall it.

Prevention Tips

• Set a calendar reminder 30 days before your smart card cert expires. Most AD admins can tell you the expiration date upfront.
• Enable auto-enrollment in Group Policy (Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Certificate Services Client - Auto-Enrollment). Set it to "Renew expired certificates, update pending certificates, and remove revoked certificates."
• Use certutil -scinfo to check your smart card's cert details before you travel. Run it monthly as part of your IT hygiene.
• If you're an admin, deploy a monitoring script that alerts you 14 days before smart card certs expire. PowerShell's Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.NotAfter -lt (Get-Date).AddDays(14)} works wonders.

That's it—no fluff. Update the cert, reinsert the card, and you're back in. If you're still stuck after these steps, it's almost certainly a CA or GPO issue that needs admin intervention. But for most of you, that command or certlm.msc walkthrough will get you logged in within 5 minutes.