Cardinal Key Troubleshooting User Guide

If you are having an issue with Cardinal Key,  we encourage you to read through the following recommendations before submitting a Help request.

Repeated certificate prompts for Firefox

Firefox has implemented a feature as of version 67 that may result in repeated certificate prompts. Try to work around the issue by navigating to Firefox and following these steps.

1. Locate and click on the hamburger in the top right corner of Firefox → Help → More Troubleshooting Information → Refresh Firefox.
   
   
2. After Firefox is finished refreshing, follow these steps to continue to configure firefox:
   1. In the URL field of Firefox, enter About:config and click the button to “Accept the Risk and Continue.”
      
   2. Search for “Security.ent” and set the value of “security.enterprise_roots.enabled” to True by clicking the two-way arrow on the right of the field.
      
   3.  Return to the search field and replace “ent” and with “def". Ensure that the field “security.default_personal_cert” is set to a value of “Select Automatically”(This is Case sensitive, make sure you capitalize the S and the A). If it is not, click the pencil on the right of the field to edit.
      

Once Firefox is refreshed and reconfigured, follow the steps below to clean out old data to improve the Cardinal Key experience.

1. In the URL field, navigate to “about:preferences” and select “Privacy and Security” on the left side. In this section, look for the “Cookies and Site Data” category and click the “Clear Data”.
   
2. Ensure that both boxes are checked and click “Clear".
   
3. Scroll down a few more sections to the “History” category and click Clear History…”.
   ​
4. Ensure all boxes are checked. Select “Everything” from the drop-down menu and click “OK”.
   
    
5. Scroll down to the “Certificates” section and click the “View Certificates..”.
   
    
6. From the top tabs in the Certificate Manager window, click the “Your Certificates” tab. Delete everything in this window. Click the “Authentication Decisions” tab and delete everything in that window as well. When you are done, click “OK”.
   
7. Quit Firefox entirely and then reopen Firefox.

More Firefox troubleshooting 

Quick fix for Firefox browsers

If you already have Cardinal Key installed and it has suddenly stopped working, try the following:

1. Ensure you are running at least version 75 (if not, upgrade to the latest version).
2. Ensure that “security.osclientcerts.autoload” is set to True in about:config.
3. See instructions at https://uit.stanford.edu/service/cardinalkey/install_mac or https://uit.stanford.edu/service/cardinalkey/install_windows for additional configuration steps.
4. Test via the Cardinal Key test page: https://cardinalkey-test.stanford.edu.

Cardinal Key not working on Firefox

If Cardinal Key isn't working in the Firefox browser, launch Firefox and take the following steps:

1. Go to settings (three horizontal lines at the upper right corner of the browser window)
2. In the search window, search for Certificates and select "View Certificate”
3. In the pop-up window, select the "authentication decisions" tab
4. See if login.stanford.edu has a setting of "send no client certificate," and if so, highlight and delete it
5. Close and relaunch Firefox

Confirm Cardinal Key is installed on your device

IMPORTANT: Do not reinstall Cardinal Key as a troubleshooting method (unless you’ve confirmed there are no valid Cardinal Keys installed on the device).

Follow the instructions for your device to confirm that Cardinal Key is installed:

• Mac: Finder → Applications → Utilities → Keychain Access. Check “My Certificates” and “Keys.”
• Windows: Start menu → Run → Type certmgr in the Run box → Select Manage User Certificates → A window will appear → Select Personal and drill down the Certificates → If the Cardinal Key exists on the machine, you should see something listed with {sunetid}/Enrollment.

If you find multiple Cardinal Keys installed, we encourage you to keep a single valid Cardinal Key and delete the rest. 

Standard installation steps

1. Ensure that the device is in MyDevices and shows as compliant. If not, follow setup instructions at https://encrypt.stanford.edu.
2. Download a Cardinal Key via https://cardinalkey.stanford.edu. You need to install a unique Cardinal Key for each device (Cardinal Keys uniquely identify a device). Ensure that you are logged into the correct profile on the local machine.
3. The new Cardinal Key will not show up in MyDevices right away. This is OK — a new Cardinal Key can be used for a grace period of 48 hours (even if the device is not yet compliant).

Troubleshooting steps

1. Confirm that the device is in MyDevices and showing as compliant (searching by SUNet ID is fastest). If unsure, confirm the device’s serial number against the info in MyDevices.
   • Confirm that the device has checked in via BigFix/MDM sometime within the past 24 hours.
   • Confirm that Cardinal Key(s) for that device have not been revoked.
2. On the device in question, confirm the Cardinal Key is properly installed:
   • Mac: Finder → Applications → Utilities → Keychain Access.  Check “My Certificates” and “Keys.”
   • Windows: certmgr
     • Go to "Type here to search" → Run
     • Type certmgr in the Run box
     • Select Manage User Certificates
     • A window will appear
     • On the left-hand column, select Personal and drill down to the Certificates
     • If the Cardinal Key exists on the machine, you should see something listed with {sunetid}/Enrollment-*
   • iOS: Settings → General → Profiles & Device Management → Stanford Client Configuration → More Details → Confirm that {SUNetID}/Enrollment-xxx is listed under the certificates.
   • Note: If Cardinal Key shows This certificate has expired or is not yet valid, ensure the local computer’s date/time is accurate.
3. Check to see what Cardinal Key(s) is/are listed in MyDevices for the device.
   • If the Cardinal Key listed matches the certificate in Step 4 and the status is revoked, then you will need to get a new Cardinal Key.
   • If the Cardinal Key listed matches the certificate in Step 4 and the status is OK, you are good to go.
   • If there are multiple Cardinal Keys, you will want to make sure that the ones(s) that have OK statuses exist on your machine.
   • If no Cardinal Key is showing, ensure that you are logged into the same profile where the Cardinal Key was installed.
4. Restart the browser.
5. Test via the Cardinal Key test page: https://cardinalkey-test.stanford.edu.
6. When trying to access [drive.google.com|axess.stanford.edu|webmail.stanford], it should either:
   • Log directly into the site, or 
   • You'll be prompted to choose a certificate. Make sure you choose the one that does not have a revoked status in MyDevices.
7. If all else fails, temporarily request to be added to the Cardinal Key exemption list.