Smart card certificate revoked error 0x80090351 fix

You're sitting at your desk, tap your smart card to log into the company VPN or a government portal, and bam — Windows throws up SEC_E_SMARTCARD_CERT_REVOKED (0X80090351). The screen says something like "The smart card certificate used for authentication has been revoked." It's frustrating because the card worked yesterday. This often happens after a certificate authority (CA) pushes an updated Certificate Revocation List (CRL) to your machine, or after your IT department deactivated a cert that's still physically on your card. Sometimes it's a glitch where Windows can't reach the CRL distribution point and assumes the worst.

What's actually going on?

At the root, Windows is doing its job — checking that the certificate on your smart card hasn't been blacklisted. Every certificate has a serial number. When a CA revokes one, it adds that serial number to a CRL. Your computer has to download that CRL periodically to verify certs are still valid. If the CRL says the cert is revoked, or if Windows can't download the CRL and defaults to "revoked for safety," you get this error.

Here's the kicker: sometimes the cert isn't actually revoked. The problem is that Windows can't reach the CRL server — maybe your company's firewall blocks it, or the URL embedded in the cert is dead. Other times, the cert really is revoked (someone lost a card, or IT bulk-revoked a batch). We're going to figure out which case you're dealing with.

Fix: Four steps to get you back in

Check if the cert is really revoked
Open the Certificate Manager (press Win + R, type certmgr.msc, hit Enter). Expand Personal > Certificates. Find your smart card cert — it usually has your name or organization. Double-click it, go to the Details tab, and scroll to Certificate Revocation List. If you see a date listed there, it's officially revoked. If not, Windows is just failing to reach the CRL.
Expected result: You'll see either a revocation date or a blank field. Write down the cert's serial number (top of the Details tab) for step 2.
Force a fresh CRL download
Open an admin Command Prompt — right-click Start, select Windows Terminal (Admin) or Command Prompt (Admin). Run this command:
```
certutil -urlcache * delete
```
This clears all cached CRLs and URLs. Then run:
```
gpupdate /force
```
That forces a Group Policy refresh, which also triggers a new CRL download from your domain controllers. Wait 30 seconds, then try your smart card again.
Expected result: The command completes without errors. After logging out and back in, the error might be gone.
Manually verify with a CRL check
Still failing? Let's get specific. Open the cert again (from step 1), go to Details, and find CRL Distribution Points. You'll see one or more URLs like http://ca.company.com/crl/certificate.crl. Copy that URL and paste it into a browser. If you get a 403 or timeout, your machine can't reach the CRL server. Talk to your IT team — the URL might need whitelisting in your firewall or proxy. If you can download the .crl file, double-click it. In the CRL window, click View and check if your cert's serial number is listed. If it is, the card is dead — request a new one.
As a last resort: Clear the smart card PIN cache and reinsert
Sometimes Windows holds onto a bad session. Remove your smart card, wait 10 seconds, then reinsert it. Open Services (type services.msc in Run) and restart the Smart Card Service. Right-click it, select Restart. Then in Certificate Manager, right-click the cert and choose All Tasks > Delete (don't worry, it'll reappear when you reinsert the card). Remove and reinsert the card again. Test.

If nothing works: Your IT department needs to issue a new smart card and certificate. The old one's cert is truly revoked. As a temporary workaround, ask if there's an alternate authentication method like a one-time password or a different certificate profile. Some organizations also allow you to use a virtual smart card if your machine has a TPM 2.0 chip — ask about that. It's not perfect, but it'll keep you working while a new physical card ships.