A Domain Controller within my forest was working fine (as the story usually goes).
Then, suddenly, I can't logon with my smart card. Instead, I'm greeted with the following message:
The system could not log you on. The revocation status of the domain
controller certificate used for smart card authentication could not be
determined.
I literally have no idea what's happened here. As an attempted quick fix, I removed the root certificate which issued the Smart Card's certificate from the CA of both the client and DC. Then imported a newly exported one from the DC in question. Same issue.
I've spotted a number of related articles on Microsoft's forums and a HP support document. Each don't really shed much light as it's a generic error message apparently.
Having said all of this, other smart cards (issued from other DCs) work fine. So I have no idea what's up with this one.
Best Answer
When you see that particular error message, it means that the workstation you're logging on to cannot access the CRL for the CA that issued the DC's certificate. You need to make sure that the CRL published for the DC's certificate is both accessible and valid.
I'm looking for some links to send you that further flesh out the issue and will edit the answer when I find them.
Edit - Here's some helpful links:
Troubleshooting CAC Login - This is the most authoritative listing of smart card logon error messages and their fixes that I've found to-date.
Why does Kerberos smart card login require public key certificates, private keys, and a Certification Authority (CA)? - The most concise overview of the smart card logon and PKI interaction.