CAC / PIV Card Support

This support page is for CAC / PIV Card users experiencing login / authentication issues.

For questions or issues regarding CACs / PIV Cards, follow the Certificate Troubleshooting instructions for the best support.

Contact our Help Desk for all other issues.

PIEE Supported Digital Certificate Types

PIEE two-factor login requirements. DoD users must use the Authentication Certificate if present on the CAC. Key usage of 'Digital Signature' and Enhanced Key Usage of 'Client Authentication' must be present on the Authentication Certificate. If the Authentication Certificate is not present on the CAC, then the ID certificate must be used. Key usage of 'Digital Signature' must be present on the ID Certificate.


PIEE digital signature requirements. DoD users must use a certificate on the CAC with key usage of 'Digital Signature' and 'Non-Repudiation'. The certificate common name must match the certificate common name used for login.


Certificate Type Intended Purpose PIEE Support
DoD PKI ID Key
  • Digital Signature for entity authentication and data origin authentication with integrity
  • Logon
  • Registration
  • Token Authentication
  • Screened to preclude certificates not asserting hardware policy2
  • DoD PKI Authentication Key must be used if present.
  • DoD PKI ID Key is being deprecated per DoD Memorandum "Modernizing the Common Access Card - Streamlining Identity and Improving Operational Interoperability"
DoD PKI Authentication Key
  • Logical Access to Web Sites (Client Authentication)
  • Logical Access (Smartcard Login) to local networks
  • Digital Signature for entity authentication and data origin authentication with integrity
  • Logon
  • Registration
  • Token Authentication
  • Screened to preclude certificates not asserting hardware policy2
DoD PKI Signature Key
  • Digital Signature for entity authentication and data origin authentication with integrity
  • Non-Repudiation to protect against the signing entity falsely denying some action, excluding certificate or CRL signing.
  • Document Signing
DoD PKI Encryption Key
  • Key Encipherment (Email encryption)
  • Not Supported
  • Screened to preclude use of certificates issues by eMail CA's
DoD PKI PIV Authentication Certificate
  • Logical Access to Web Sites (Client Authentication)
  • Logical access (Smartcard Login) to non-DoD Federal Systems
  • Not Supported
  • Screened to preclude use of certificates not intended for non-repudiation purposes
  • User must use the CAC issued for the PIEE authorized role and organization affiliation1
DoD PKI ECA Identity Certificate
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Limited to DoD-managed ECA PKIs
  • Screened to preclude certificates not asserting hardware policy2
Category I: U.S. Federal Agency PKI PIV
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Limited to DoD approved external PKIs
  • Screened to preclude certificates not asserting hardware policy2
Category II: U.S. Federal Agency PKI PIV
  • Logical Access to Web Sites (Authentication)
  • Digital Signature for Non-repudiation
  • Limited to DoD approved external PKIs
  • Screened to preclude certificates not asserting hardware policy2

1 An example of a dual persona person is one who has a CAC issued as a contractor and a CAC issued as a member of the Army Reserves. This individual has two CACs, but until the PIV Auth Cert is activated on their CAC cards, they only have one digital identity. The PIV Auth Cert has a field that is unique for each persona. This is a 16 digit numeric field that starts with a 10 digit Electronic Data Interchange Person Identifier (EDIPI) and adds to it a 6 digit Federal Agency Smart Credential Number Role specific attribute.

2 Given the sensitivity of information processed by PIEE, DoD Instruction 8520.03 required Credential Strength is “D”. This Credential Strength is equivalent to the OMB / NIST defined Identity Assurance Level 4.

Certificate Troubleshooting

Common Solutions that often resolve most certificate login issues.

There are multiple reasons a certificate logon into PIEE may fail, and these failures may produce multiple different error messages and symptoms. Most certificate logon errors can be resolved by clearing the browser cache and cookies, starting a fresh browser session and ensuring a valid authentication certificate is selected. Often it can take more than one attempt if the first was unsuccessful, and a full PC reboot is frequently needed. Attempt these common solutions before attempting additional possible solutions below.

Common Solutions:

  • Verify the follwing compatible browser is in use
    • Microsoft Edge
    • Chrome version
    • Firefox version
    • Safari version
    • Opera version
    • Note: mobile versions may not be fully compatible
  • Restart PC, and start a new browser session
  • Clear Browser Cache

    Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.

    Pressing CTRL+F5 can bypass the need to manually clear the browser cache for a single page by forcing the browser to re-download the temporary internet files and cookies for that page.

    Starting a new browser session can also refresh the browser cache, depending on the browser and user settings.

    To manually clear the cache - this may apply to all browsers.

    From the Control Panel click on Internet Options -or- From the Start menu search for "Internet Options"

    • On the General Tab
      • Under Browsing History click Delete
      • Uncheck "Preserve Favorites Website Data" [if available]
      • Check "Temporary Internet Files" [if unchecked]
      • Check "Cookies" [if unchecked]
      • Click Delete

    To clear additional cache files from chrome - this is in addition to clearing through internet options, not in place of it.

    Google Chrome:

    1. Click the three dots in the upper right corner below the red exit x
    2. Click "Settings"
    3. Under the Privacy heading, scroll down to "Clear browsing data"
    4. A window pops up with two sections:"Basic" or "Advanced"
      1. Use Advanced
      2. Select - All Time for the timeframe
      3. Check:
        1. Cookies and other site data
        2. Cached images and files
        3. Autofill form data
        4. Site Settings
        5. Hosted app data
    5. Once you've selected the items to clear, click "Clear data" and restart the browser

    To clear additional cache files for Edge - this is in addition to clearing through internet options, not in place of it.

    Microsoft Edge:

    1. To clear the Cache/Temporary Files & SSL State on Microsoft Edge: Click on the 3 dots top right corner(Alt+F)
    2. Click "Settings"
    3. Click Privacy, search, and services
    4. Scroll half way down to the Clear Browsing Data section
    5. Click Choose what to clear
    6. Make sure Time Range says All Time
    7. Make sure the following are selected:
    8. Make sure the following are selected:
      1. Cookies and other site data
      2. Cached images and files
      3. Site Permissions
      4. Auto-fill form data
      5. All data from the previous version of Microsoft Edge
      6. Media Foundation Data
    9. Click Clear Data

    To clear cache files for Firefox.

    Firefox:

    1. Click the three dots in the upper right corner below the red exit X
    2. Click "Options"
    3. Click "Privacy & Security" from the left menu
    4. Go down to the heading "Cookies and Site Data"
    5. Click "Clear Data"
    6. A window pops up with "Cookies and Site Data" and "Cached Web Content"
    7. Click "Clear" and "Clear Now in the next window prompt

    If you have a suborn error, try fully clearing the browser cache—through the steps above, and for your specific browser below—start a new browser session, force a refresh (CTRL+F5), or reboot before moving on to additional troubleshooting.

  • Adjust Internet Options settings

    Adjusting the Windows Internet Options Browser settings can solve many common problems. Not all the following settings will be available to all users depending on local security policy. .

    From the Control Panel click on Internet Options -or- From the Start menu search for "Internet Options"

    • On the General Tab
      1. Clear the Browser Cache:
        1. Under Browsing History click Delete
        2. Uncheck Preserve Favorites Website Data [if available]
        3. Check Temporary Internet Files [if unchecked]
        4. Check Cookies [if unchecked]
        5. Click Delete
      2. Click Settings under Browsing History:
        1. Under Check for newer versions of stored pages
        2. Select Every time I visit the webpage
        3. Click OK
      3. Click Settings under Tabs:
        1. Under When a Pop-up is encountered
        2. Select Let Internet Explorer decide …
        3. Click OK
      4. Click Security Tab, and Select Trusted Sites:
        1. Click Sites:
          1. If unlisted Add:
            1. - https://piee.eb.mil
            2. - https://cac.piee.eb.mil
            3. - https://*.eb.mil
          2. Click Close
        2. Security level for Trusted sites should be Medium or lower
          1. If checked, uncheck Enable Protected Mode
      5. Click Privacy Tab:
        1. If Pop-up Blocker is enabled [if disabled/unchecked continue to Content]
          1. Click Settings, and Add the following sites if they are not listed
            1. - https://piee.eb.mil
            2. - https://cac.piee.eb.mil
            3. - https://*.eb.mil
      6. Click the Content Tab:
        1. Under Certificates
          1. Click Clear SSL State
          2. Click OK on the confirmation that the cache was cleared
      7. Click the Content Tab:
        1. Under Certificates
          1. Click Clear SSL State
          2. Click OK on the confirmation that the cache was cleared
      8. Click on the Advanced Tab:
        1. Under Browsing
          1. Check [if unchecked] Show Friendly HTTP error messages
        2. Under Security
          1. Uncheck Use SSL2.0
          2. Uncheck Use SSL 3.0
          3. Check Use TLS 1.0
          4. Check Use TLS 1.1
          5. Check Use TLS 1.2
      9. Click OK to apply changes, restart all open browsers


Additional Error details and possible solutions

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:

Unauthorized 403 Error

Note: For Registration, Login, and Token Authentication, only the X509 Authentication Certificates from your Personal Certificate Store that have Key Usage of Digital Signature and Enhanced Key Usage of Client Authentication should be used if present. If the Authentication Certificate is not present on the CAC, then the ID certificate must be used. Key usage of 'Digital Signature' must be present on the ID Certificate.

This Error can be commonly caused by:

  • Using an incompatible browser.
  • Bad Browser Cache files.
  • The Wrong certificate was selected.
  • URL not in trusted sites list.
  • The issue could also be at the Network level with a permissions issue.

It is recommended users engage with local IT support to assist them with the troubleshooting steps below as some users may not have adequate permission to perform the steps needed.

Additional Possible Solutions if the Common Solutions above did not resolve the error:

  • Restart the browser and ensure a valid, current, authentication certificate is selected.
  • Force a refresh of the page - on the error page press CTRL+F5. This can bypass the need to manually clear the browser cache for a single page by forcing the browser to re-download the temporary internet files and cookies for that page.
  • If a VPN connection is in use attempt a login while the VPN is disconnected.
  • If the errors persist it is recommended to engage with local IT support / local system administrators to assist with the troubleshooting steps above, as you may not have adequate permission to perform the steps needed. There may also be underlying network connection errors interrupting the connection.

How to identify the Authentication certificate when logging in with Chrome:

  • Select a non-email certificate and click Certificate Information
  • Go to Details and scroll down to Enhanced Key Usage, look for Smart Card Logon and Client Authentication

When a user accesses PIEE they may receive a prompt that the security certificate presented is invalid, untrusted, not yet valid, or expired.

The exact message will depend on the browser used


Possible Causes:

  • Has not installed the DoD certificate authorities
  • The PC date and time is incorrect

Additional Possible Solutions if the Common Solutions above did not resolve the error:

  • Complete the Machine Setup under New User
  • Correct the system date and time

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:


Possible Causes:

  • The certificate is unreadable or DLA OCSP/valicert is unavailable
  • The certificate used is invalid
  • The certification path on the certificate contains invalid entries
  • The certificate used is not on the trusted issuer list

Additional Possible Solutions if the Common Solutions above did not resolve the error:

  • Check Certificates in Internet Options
    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
        • Identify the listed certificates
          • Typical CAC users will have three listed certificates
          • Under Issued To should be the users name followed by the dodID number
          • Under Issued by you should typically see one or two Email certificates, and one NON-Email certificate.
          • The NON-Email [ALL] Certificate is the one used by PIEE
          • If Invalid certificates are listed in the Republish Certificate(s)
          • Select the NON-Email Certificate
          • Click View
            • Under the General Tab
              • Check the Valid from dates to ensure the certificate is not expired
            • Under the Certification Path
              • Check the certification path is valid
                • The Certification Path is typically three levels deep
                • The path should look like this:
                  • DoD Root CA 3
                  • DOD CA -XX [where XX = the CA issuing number]
                  • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
            • If the Certification Path is invalid:
            • If the certification path is correct
            • Verify the certificate is a valid X509 Certificate for Digital Signing and Non-Repudiation. Non-repudiation is only required for signing documents in the PIEE.
              • Click the Details tab and scroll to Key Usage
                • Verify that both Digital Signature and Non-Repudiation are displayed
                • If the certificate is missing Non-Repudiation the certificate will need to be re-issued.
            • Click OK on the Certificate dialog.
      • Click Close on the Certificates dialog
    • Click OK on the Internet Options dialog
  • Correct Certification Path

    Correcting the certification path can resolve errors with certificates not being found, readable, or verifiable.

    This may require local administrative rights

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Click Certificates
      • Under the Personal Tab, select the NON-Email Certificate
      • Click View
        • Under the Certification Path
          • Check the certification path is valid
            • The Certification Path typically three levels deep
            • The path should look like this:
              • DoD Root CA 3
              • DOD CA -XX [where XX = the CA issuing number]
              • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
          • If the Certification Path is invalid:
            • Make note of each certificate listed above DoD Root CA-3
              • E.G. DoD Interoperability
            • Click OK on the Certificate window
        • On the Certificates window
          • Click on the Intermediate Certification Authorities Tab
            • Remove all the certificates that were listed above DoD Root CA-3
              • E.G. DoD Interoperability
          • Click on the Trusted Root Certification Authorities Tab
            • Remove all the certificates that were listed above DoD Root CA-3
              • E.G. DoD Interoperability
          • Click Close on the Certificates dialog
          • Click OK on Internet Options
  • Republish Certificate in Active Client

    Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

    Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.

    • From the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
      • Remove all listed certificates [NOTE: Email certificates can be left]
      • Once all certificate are removed click close and OK on Internet Options
    • Open ActivClient User Console
      • Start > All Programs > ActivIdentity > ActivClient
        • Select User Console
        • Click Tools
        • Select Advanced
          • Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
            • After confirmation, return to the Tools > Advanced menu
          • Click "Make Certificates Available to Windows"
        • Click Reset Optimization Cache
        • Reboot the computer
          • The CAC certificates should now be republished and available to use.

    NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:


Possible Causes:

  • Closing your browser window without logging out of PIEE
  • PIEE open on another tab.
  • Browser unexpectedly crashed and auto-recovered.

Additional Possible Solutions if the Common Solutions above did not resolve the error:

  • Clear Browser Cache

    Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.

    Pressing CTRL+F5 can bypass the need to manually clear the browser cache for a single page by forcing the browser to re-download the temporary internet files and cookies for that page.

    Starting a new browser session can also refresh the browser cache, depending on the browser and user settings.

    To manually clear the cache - this may apply to all browsers.

    From the Control Panel click on Internet Options -or- From the Start menu search for "Internet Options"

    • On the General Tab
      • Under Browsing History click Delete
      • Uncheck "Preserve Favorites Website Data" [if available]
      • Check "Temporary Internet Files" [if unchecked]
      • Check "Cookies" [if unchecked]
      • Click Delete

    To clear additional cache files from chrome - this is in addition to clearing through internet options, not in place of it.

    Google Chrome:

    1. Click the three dots in the upper right corner below the red exit x
    2. Click "Settings"
    3. Under the Privacy heading, scroll down to "Clear browsing data"
    4. A window pops up with two sections:"Basic" or "Advanced"
      1. Use Advanced
      2. Select - All Time for the timeframe
      3. Check:
        1. Cookies and other site data
        2. Cached images and files
        3. Autofill form data
        4. Site Settings
        5. Hosted app data
    5. Once you've selected the items to clear, click "Clear data" and restart the browser

    To clear additional cache files for Edge - this is in addition to clearing through internet options, not in place of it.

    Microsoft Edge:

    1. To clear the Cache/Temporary Files & SSL State on Microsoft Edge: Click on the 3 dots top right corner(Alt+F)
    2. Click "Settings"
    3. Click Privacy, search, and services
    4. Scroll half way down to the Clear Browsing Data section
    5. Click Choose what to clear
    6. Make sure Time Range says All Time
    7. Make sure the following are selected:
    8. Make sure the following are selected:
      1. Cookies and other site data
      2. Cached images and files
      3. Site Permissions
      4. Auto-fill form data
      5. All data from the previous version of Microsoft Edge
      6. Media Foundation Data
    9. Click Clear Data

    To clear cache files for Firefox.

    Firefox:

    1. Click the three dots in the upper right corner below the red exit X
    2. Click "Options"
    3. Click "Privacy & Security" from the left menu
    4. Go down to the heading "Cookies and Site Data"
    5. Click "Clear Data"
    6. A window pops up with "Cookies and Site Data" and "Cached Web Content"
    7. Click "Clear" and "Clear Now in the next window prompt

    If you have a suborn error, try fully clearing the browser cache—through the steps above, and for your specific browser below—start a new browser session, force a refresh (CTRL+F5), or reboot before moving on to additional troubleshooting.

  • Adjust IE Settings

    Adjusting the Internet Explorer Browser settings can solve many common problems. Not all of the following settings will be available to all users depending on local security policy.

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • On the General Tab
      • Clear the Browser Cache
        • Under Browsing History click Delete
        • Uncheck "Preserve Favorites Website Data" [if available]
        • Check "Temporary Internet Files" [if unchecked]
        • Check "Cookies" [if unchecked]
        • Click Delete
      • Click Settings under Browsing History
        • Under Check for newer versions of stored pages
        • Select "Every time I visit the webpage"
        • Click OK
      • Click Settings under Tabs
        • Under When a Pop-up is encountered
        • Select "Let Internet Explorer decide …"
        • Click OK
    • Click Security Tab
      • Select Trusted Sites
      • Click Sites
      • If unlisted Add:
        • https://*.eb.mil
        • https://*.disa.mil
      • Click Close
      • Security level for Trusted sites should be Medium or lower
      • If checked, uncheck Enable Protected Mode
    • Click Privacy Tab
      • If Pop-up Blocker is enabled [if disabled/unchecked continue to Content]
      • Click Settings
      • Add the following sites if they are not listed
        • https://*.eb.mil
        • https://*.disa.mil
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
    • Click on the Advanced Tab
      • Under Browsing
        • Check [if unchecked] "Show Friendly HTTP error messages"
      • Under Security
        • Uncheck "Use SSL2.0"
        • Check "Use SSL 3.0"
        • Check "Use TLS 1.0"
        • Uncheck "Use TLS 1.1"
        • Uncheck "Use TLS 1.2"
    • Additional Steps:
      • [If the user is a CAC user: Check Certificates in Internet Options ]
      • Check IE Compatibility View
    • If problems persist
      • From the Advanced tab under Reset Internet Explorer settings
        • Click Reset
        • NOTE: This will reset any custom settings the user may require. This should only be done if the end user understands this and the browser is otherwise unusable.

When attempting to login or register with a CAC users may receive errors related to the OCSP.

Most OCSP errors during CAC login are caused by network outages, OCSP server misconfiguration or downtime, and/or Certificate Revocation Lists are not updated.

The Certificate Revocation Lists (CRL) are cached for the PIEE server certificate and applet code signing certificate as this is handled on the Operating System / Browser level.

Things to Verify

  • Has the certificate login ever worked with this certificate?
  • Are other users receiving the same error?
  • Is OCSP available? – check for system messages.

Additional Possible Solutions if the Common Solutions above did not resolve the error:

If CAC login has worked in the past, others are not receiving the same error, and there are no system messages indicating a known OCSP outage:

  • Republish Certificate in Active Client

    Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

    Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.

    • From the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
      • Remove all listed certificates [NOTE: Email certificates can be left]
      • Once all certificate are removed click close and OK on Internet Options
    • Open ActivClient User Console
      • Start > All Programs > ActivIdentity > ActivClient
        • Select User Console
        • Click Tools
        • Select Advanced
          • Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
            • After confirmation, return to the Tools > Advanced menu
          • Click "Make Certificates Available to Windows"
        • Click Reset Optimization Cache
        • Reboot the computer
          • The CAC certificates should now be republished and available to use.

    NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)

  • Delete OCSP and/or CRL cache from your Windows system

    To delete OCSP and/or CRL cache from your Windows system:

    • Go to Start Menu > Run
    • Type cmd and press Enter
    • In the command promp, type the following command and press Enter to execute:
    • certutil -urlcache * delete
    • Reboot your computer
  • Obtain a copy of the certificate for testing or validation for the help desk
    • From Internet Options go to the Content tab, and click Certificates.
      • Select the certificate you wish to export and click Export.
      • Click Next,
      • Select No, do not export the private key
      • Click Next,
      • Select Base-64
      • Click Next,
      • click Browse to choose a location to save the file, Enter a filename, click Save
      • Click Finish
    • Change the file extension from .CER to .TXT to email the file.
      • Navigate to the folder where the certificate was saved
      • If the file extension is not visible click View at the top of the file explorer
      • Check the box next to File Name Extensions
      • Right click on the certificate, change the extension from .CER to .TXT
    • The certificate file can now safely be emailed to the help desk.

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:


Possible Causes:

  • An expired certificate was selected
  • Local certificate store is corrupt
  • Certificate issuer Certificate Revocation List has expired in OCSP

Additional Possible Solutions if the Common Solutions above did not resolve the error:

  • If the error is recent clear cache and try again after an hour, if more than 2 hours has passed continue troubleshooting.
  • Clear Browser Cache

    Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues. Some users may not have access to delete their own temporary internet files; in that case refer the user to a system administrator.

    Pressing CTRL+F5 can bypass the need to manually clear the browser cache for a single page by forcing the browser to re-download the temporary internet files and cookies for that page.

    Starting a new browser session can also refresh the browser cache, depending on the browser and user settings.

    To manually clear the cache - this may apply to all browsers.

    From the Control Panel click on Internet Options -or- From the Start menu search for "Internet Options"

    • On the General Tab
      • Under Browsing History click Delete
      • Uncheck "Preserve Favorites Website Data" [if available]
      • Check "Temporary Internet Files" [if unchecked]
      • Check "Cookies" [if unchecked]
      • Click Delete

    To clear additional cache files from chrome - this is in addition to clearing through internet options, not in place of it.

    Google Chrome:

    1. Click the three dots in the upper right corner below the red exit x
    2. Click "Settings"
    3. Under the Privacy heading, scroll down to "Clear browsing data"
    4. A window pops up with two sections:"Basic" or "Advanced"
      1. Use Advanced
      2. Select - All Time for the timeframe
      3. Check:
        1. Cookies and other site data
        2. Cached images and files
        3. Autofill form data
        4. Site Settings
        5. Hosted app data
    5. Once you've selected the items to clear, click "Clear data" and restart the browser

    To clear additional cache files for Edge - this is in addition to clearing through internet options, not in place of it.

    Microsoft Edge:

    1. To clear the Cache/Temporary Files & SSL State on Microsoft Edge: Click on the 3 dots top right corner(Alt+F)
    2. Click "Settings"
    3. Click Privacy, search, and services
    4. Scroll half way down to the Clear Browsing Data section
    5. Click Choose what to clear
    6. Make sure Time Range says All Time
    7. Make sure the following are selected:
    8. Make sure the following are selected:
      1. Cookies and other site data
      2. Cached images and files
      3. Site Permissions
      4. Auto-fill form data
      5. All data from the previous version of Microsoft Edge
      6. Media Foundation Data
    9. Click Clear Data

    To clear cache files for Firefox.

    Firefox:

    1. Click the three dots in the upper right corner below the red exit X
    2. Click "Options"
    3. Click "Privacy & Security" from the left menu
    4. Go down to the heading "Cookies and Site Data"
    5. Click "Clear Data"
    6. A window pops up with "Cookies and Site Data" and "Cached Web Content"
    7. Click "Clear" and "Clear Now in the next window prompt

    If you have a suborn error, try fully clearing the browser cache—through the steps above, and for your specific browser below—start a new browser session, force a refresh (CTRL+F5), or reboot before moving on to additional troubleshooting.

  • Check Certificates in Internet Options
    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
        • Identify the listed certificates
          • Typical CAC users will have three listed certificates
          • Under Issued To should be the users name followed by the dodID number
          • Under Issued by you should typically see one or two Email certificates, and one NON-Email certificate.
          • The NON-Email [ALL] Certificate is the one used by PIEE
          • If Invalid certificates are listed in the Republish Certificate(s)
          • Select the NON-Email Certificate
          • Click View
            • Under the General Tab
              • Check the Valid from dates to ensure the certificate is not expired
            • Under the Certification Path
              • Check the certification path is valid
                • The Certification Path is typically three levels deep
                • The path should look like this:
                  • DoD Root CA 3
                  • DOD CA -XX [where XX = the CA issuing number]
                  • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
            • If the Certification Path is invalid:
            • If the certification path is correct
            • Verify the certificate is a valid X509 Certificate for Digital Signing and Non-Repudiation. Non-repudiation is only required for signing documents in the PIEE.
              • Click the Details tab and scroll to Key Usage
                • Verify that both Digital Signature and Non-Repudiation are displayed
                • If the certificate is missing Non-Repudiation the certificate will need to be re-issued.
            • Click OK on the Certificate dialog.
      • Click Close on the Certificates dialog
    • Click OK on the Internet Options dialog
  • Correct Certification Path

    Correcting the certification path can resolve errors with certificates not being found, readable, or verifiable.

    This may require local administrative rights

    • From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel click on Internet Options
    • Click the Content Tab
      • Click Certificates
      • Under the Personal Tab, select the NON-Email Certificate
      • Click View
        • Under the Certification Path
          • Check the certification path is valid
            • The Certification Path typically three levels deep
            • The path should look like this:
              • DoD Root CA 3
              • DOD CA -XX [where XX = the CA issuing number]
              • Lastname.first.I.xxxxxxxxxxxxxxxxx ....
          • If the Certification Path is invalid:
            • Make note of each certificate listed above DoD Root CA-3
              • E.G. DoD Interoperability
            • Click OK on the Certificate window
        • On the Certificates window
          • Click on the Intermediate Certification Authorities Tab
            • Remove all the certificates that were listed above DoD Root CA-3
              • E.G. DoD Interoperability
          • Click on the Trusted Root Certification Authorities Tab
            • Remove all the certificates that were listed above DoD Root CA-3
              • E.G. DoD Interoperability
          • Click Close on the Certificates dialog
          • Click OK on Internet Options
  • Republish Certificate in Active Client

    Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

    Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.

    • From the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
      • Remove all listed certificates [NOTE: Email certificates can be left]
      • Once all certificate are removed click close and OK on Internet Options
    • Open ActivClient User Console
      • Start > All Programs > ActivIdentity > ActivClient
        • Select User Console
        • Click Tools
        • Select Advanced
          • Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
            • After confirmation, return to the Tools > Advanced menu
          • Click "Make Certificates Available to Windows"
        • Click Reset Optimization Cache
        • Reboot the computer
          • The CAC certificates should now be republished and available to use.

    NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)

  • Delete OCSP and/or CRL cache from your Windows system

    To delete OCSP and/or CRL cache from your Windows system:

    • Go to Start Menu > Run
    • Type cmd and press Enter
    • In the command promp, type the following command and press Enter to execute:
    • certutil -urlcache * delete
    • Reboot your computer

When attempting to register, login, or authenticate a token with a CAC users may receive the following error:


Things to verify:

  • This is an issue with the way the browser is accessing the Certificates
    • Call gscBsiGetChallenge() to retrieve a random challenge from the smart card.
    • The random challenge is retained by the smart card for use in the subsequent verification step of the External Authentication protocol.
    • The client application calculates a cryptogram by encrypting the random challenge using a symmetric External Authentication key.
    • The client application may need to examine the keyIDOrReference member of the appropriate ACR returned in GCacr or CRYPTOacr to determine which External Authentication key it should use to encrypt the random challenge

Additional Possible Solutions if the Common Solutions above did not resolve the error:

  • Republish Certificate in Active Client

    Removing and republishing user certificates can correct issues with certificates not being available, readable, or verifiable.

    Before proceeding notify the user that some of the following steps may require a local system administrator. These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is not available do not proceed.

    • From the Control Panel click on Internet Options
    • Click the Content Tab
      • Under Certificates
        • Click Clear SSL State
        • Click OK on the confirmation that the cache was cleared
      • Click Certificates
      • Under the Personal Tab
      • Remove all listed certificates [NOTE: Email certificates can be left]
      • Once all certificate are removed click close and OK on Internet Options
    • Open ActivClient User Console
      • Start > All Programs > ActivIdentity > ActivClient
        • Select User Console
        • Click Tools
        • Select Advanced
          • Click "Forget state for all cards" – or – Reset Optimization Cache (this removes and republishes in one step)
            • After confirmation, return to the Tools > Advanced menu
          • Click "Make Certificates Available to Windows"
        • Click Reset Optimization Cache
        • Reboot the computer
          • The CAC certificates should now be republished and available to use.

    NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or - Reset Optimization Cache (this removes and republishes in one step)

  • Local system administrators/support to reinstall/Update ActivClient.

An error that there are multiple accounts associated with a certificate:


Possible Causes:

  • There may be a duplicate account associated with the certificate.
  • The impacted user may have been issued a new certificate that is not completely identical to the certificate associated with the account.

Additional Possible Solutions if the Common Solutions above did not resolve the error:

  • Contact your GAM or the PIEE Service Desk
  • If there are not multiple accounts found
    • The affected user is likely receiving this error due to recently received a new certificate. In this case the GAM will want to reset the certificate so the user can re-associate their current certificates with the account.
  • If there are multiple accounts found
    • The certificate will need to be reset/removed from one of the registered account, and that unused account archived by the Government Administrator, or the PIEE Service Desk

Help Desk

If your issue is not resolved by following the steps in the solutions above, send a message to our Help Desk.

Send a Secure Message

866-618-5988

Email: disa.global.servicedesk.mbx.eb-ticket-requests@mail.mil
Fax: 801-605-7453

Help Desk Hours
Monday - Friday, 06:30 – 24:00 EST