Some users can Smart Card Authenticate to vCenter and some users cannot.

vCenter Server 8.x
vCenter Server 7.x

Validating the Smart Card User certificates shows that CN Common Subject Name of the CA was reused by a new Certificate Authority. Follow Trusted Certificate Authority validation steps (keytool) in Smart Card Authentication stops working after upgrading to vCenter Server 7.0u3i

keytool output shows that the thumbprints of the Trusted CAs do not match the thumbprint of the users Smart Card issued by the CA re-using CN Common Name Subject Names.

vCenter Server does not support re-use of CN Common Name Subject Names in subsequent root certificates by the same CA and results in unexpected certificate chaining issues. 

Re-issue the Smart Card User Certificates from the new Certificate Authority for all the old Smart Card users issued by the old Certificate Authority.

Alternate MFA methods using vSphere 7 – Identity Federation and TAM Lab – Enabling MFA in vSphere 7