Hello there,
Have you made any recent updates on the device? If so try uninstalling them as there was a history of an Update breaking the certificate.
Does this behavior happen when the user changes his password after obtaining the certificate from the CA?
Assuming you're using Active Directory and Windows CA, if you manage to get AD connectivity from the client and try to access the private key (launching the VPN) it should be able to read the key and it will be readable until you reboot the client. Not sure whether it is a Bug or a security feature implemented recently.
-----------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–