How do I know which certificate to select for smart card authentication?
Select your current VA or DoD Authentication certificate.
If more than one certificate is seen, click Show Certificate and look for Purpose #1= client authentication and verify the date matches your most recently issued smart card (users may see more than one authentication certificate when a new smart card has been issued and the previous certificates have not yet expired).
If you don’t see Purpose #1= client authentication, click the other certificate(s) until it appears.
Where can I get a smart card reader?
Your local IT support office may have smart card readers available. Check with your local IT for guidance on obtaining a card reader.
How are smart card readers distributed?
Today, the distribution of smart card readers is site-specific. Alternative distribution methods are being discussed. If distribution processes or procedures change, updated instructions will be distributed.
Card readers for non-VA-owned equipment.
If remote access is being used from a non-VA-owned device, a smart card reader will be needed for the smart card. If a reader is being purchased (available online: Amazon, Best Buy, etc.) it must be a FIPS compliant, Class 2 type reader.
Click here for a list of known compatible card readers.
Card reader USB connector types.
Card readers have different USB connector types to choose from. To help identify what type you need for your computer, see the examples below.
What if I'm using a USB eToken?
USB eTokens contain authentication certificates only and are on a USB device that looks like a thumb drive. The needed drivers are installed on all VA Government Furnished Equipment (GFE) and may need to be installed on personal or other non-VA GFE (referred to as OE for Other equipment) computers to be recognized and used. The drivers may be downloaded for non-VA GFE via this link:
Knowledge Article View - Thales Customer Support (service-now.com)
I am unable to authenticate remotely on my non-VA Windows device using my smart card.
Validate your smart card client authentication certificate Certification Path is correct by following the below steps:
- Within the Windows Task Bar, click Search Windows icon, type User Cert and press Enter.
This will launch Certificate Manager.
- From the left Pane of Certificate Manager Window, expand Certificates node.
- Expand Personal node.
- Click Certificates.
- Click on each unexpired certificate issued by Veterans Affair or Department of Veterans Affair and locate the Client Authentication certificate under the Certificate intended purposes section at the bottom.
NOTE: If you do not see Veterans Affairs Certificates, you should contact the Enterprise Service Desk (ESD) at (855) 673-4357.
- Double click the certificate and select the Certification Path tab. Verify that the Certification path matches one of the following examples:
- If the path is correct, click OK to close the Certificate windows
- If the path is not correct:
- Click OK to close the Certificate windows.
- Click the following link:
VA Certificate Chain Fix
- When prompted select Save as
- Save the file to a convenient location (e.g. Downloads)
- Open the file to run it (you will need administrative permissions in order to modify the local machine certificate store)
NOTE
If you experience any issues while running VA Certificate Chain Fix,
you should contact the Enterprise Service Desk (ESD) at (855) 673-4357.