Skip to content Skip to site navigation

Cardinal Key Troubleshooting User Guide

If you are having an issue with Cardinal Key,  we encourage you to read through the following recommendations before submitting a Help request.

Confirm Cardinal Key is installed on your device

IMPORTANT: Do not reinstall Cardinal Key as a troubleshooting method (unless you’ve confirmed there are no valid Cardinal Keys installed on the device).

Follow the instructions for your device to confirm that Cardinal Key is installed:

  • Mac: Finder → Applications → Utilities → Keychain Access. Check “My Certificates” and “Keys.”
  • Windows: Start menu → Run → Type certmgr in the Run box → Select Manage User Certificates → A window will appear → Select Personal and drill down the Certificates → If the Cardinal Key exists on the machine, you should see something listed with {sunetid}/Enrollment.

If you find multiple Cardinal Keys installed, we encourage you to keep a single valid Cardinal Key and delete the rest. 

Quick fix

If you already have Cardinal Key installed and it has suddenly stopped working, try the following:

  1. Clear Shibboleth IdP session cookie and log in again: https://login.stanford.edu/cookie/idp.

    For Firefox:

Standard installation steps

  1. Ensure that the device is in MyDevices and shows as compliant. If not, follow setup instructions at https://encrypt.stanford.edu.
  2. Download a Cardinal Key via https://cardinalkey.stanford.edu. You need to install a unique Cardinal Key for each device (Cardinal Keys uniquely identify a device). Ensure that you are logged into the correct profile on the local machine.
  3. The new Cardinal Key will not show up in MyDevices right away. This is OK — a new Cardinal Key can be used for a grace period of 48 hours (even if the device is not yet compliant).
  4. Enable the cookie in each web browser. You can do so through https://login.stanford.edu/cookie/x509 (alternatively go to https://accounts.stanford.edu → Manage → Cardinal Key tab).

For Firefox browsers:

  1. Ensure you are running at least version 75 (if not, upgrade to the latest version).
  2. Ensure that “security.osclientcerts.autoload” is set to True in about:config.
  3. See instructions at https://uit.stanford.edu/service/cardinalkey/install_mac for additional configuration steps.
  4. Test via the Cardinal Key test page: https://cardinalkey-test.stanford.edu.

Troubleshooting steps

  1. Confirm that Cardinal Key is enabled in each browser you are using (if you clear your cookies, it will disable Cardinal Key for that browser). Go to https://login.stanford.edu/cookie/x509 (alternatively, go to https://accounts.stanford.edu → Manage → Cardinal Key tab).
  2. Click Enable Cardinal Key Authentication if it is disabled.
  3. Confirm that the device is in MyDevices and showing as compliant (searching by SUNet ID is fastest). If unsure, confirm the device’s serial number against the info in MyDevices.
    • Confirm that the device has checked in via BigFix/MDM sometime within the past 24 hours.
    • Confirm that Cardinal Key(s) for that device have not been revoked.
  4. On the device in question, confirm the Cardinal Key is properly installed:
    • Mac: Finder → Applications → Utilities → Keychain Access.  Check “My Certificates” and “Keys.”
    • Windows: certmgr
      • Go to Start menu → Run
      • Type certmgr in the Run box
      • Select Manage User Certificates
      • A window will appear
      • On the left-hand column, select Personal and drill down to the Certificates
      • If the Cardinal Key exists on the machine, you should see something listed with {sunetid}/Enrollment-*
    • iOS: Settings → General → Profiles & Device Management → Stanford Client Configuration → More Details → Confirm that {SUNetID}/Enrollment-xxx is listed under the certificates.
    • Note: If Cardinal Key shows This certificate has expired or is not yet valid, ensure the local computer’s date/time is accurate.
  5. Check to see what Cardinal Key(s) is/are listed in MyDevices for the device.
    • If the Cardinal Key listed matches the certificate in Step 4 and the status is revoked, then you will need to get a new Cardinal Key.
    • If the Cardinal Key listed matches the certificate in Step 4 and the status is OK, you are good to go.
    • If there are multiple Cardinal Keys, you will want to make sure that the ones(s) that have OK statuses exist on your machine.
    • If no Cardinal Key is showing, ensure that you are logged into the same profile where the Cardinal Key was installed.
  6. Restart the browser.
  7. Test via the Cardinal Key test page: https://cardinalkey-test.stanford.edu.
  8. When trying to access [drive.google.com|axess.stanford.edu|webmail.stanford], it should either:
    • Log directly into the site, or 
    • You'll be prompted to choose a certificate. Make sure you choose the one that does not have a revoked status in MyDevices.
  9. If all else fails, temporarily request to be added to the Cardinal Key exemption list
Last modified August 17, 2021