Smart card authentication functions properly for previously configured smart card logins, but newly issued smart cards are failing login.

Newly issued smart cards may be issued by a CA for which the certificate was not added to vCenter.

You can configure the authentication for the newly-issued smartcards with these steps:

1. Examine the user certificate that has been newly issued
2. Obtain the signing CA certificate(s)
3. Add the new signing CA certificate(s) in two places

          A) Append to the /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem file, as explained here:

Configure vCenter Server to Request Client Certificates

     Example:
     # openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA2.cer >> /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem

          B) Add the certificates to the "Trusted CA certificates" store via SmartCard Authentication management, as explained here:

Manage Smart Card Authentication Using the vSphere Client

From the document:

7. Under the Trusted CA certificates tab:
     a. Click Add, and click Browse.
     b. Select a trusted CA certificate, and click Add.
8. To add additional trusted CA certificates, repeat step 7