Troubleshoot site and NASH certificate issues

When running HI lookups or accessing My Health Record from Bp Premier, you may receive one of the following errors:

  • An error occurred attempting to connect to the HI service. No certificate was found with serial number 'nnnnnn'.
  • An error occurred attempting to connect to the HI service. Keyset does not exist.
  • Unable to access a PCEHR for this patient. Could not establish secure channel for SSL/TLS with Authority Error.
  • Unable to access My Health Record for this patient. Certificate was not found with criteria 'xxxxxx'.

These errors are caused by the Site and NASH certificates not being imported correctly, or Windows not trusting a PKI certificate because the Medicare certificate did not install.

For most Bp Premier installations, certificates for My Health Record are only installed on the Bp Premier server. When Bp Premier is started on a client computer, the client will pull any updated certificates from the server and install them in the client's Windows certificate store. You should not need to manually install certificates on a Bp Premier client.

Can Windows verify the Site certificate?

Perform this step first to determine how to correct the issue.

  1. From the Windows desktop, run a search for 'internet options'. Double-click the result to open the Internet Options settings.
  2. Search for internet options

  3. Select the Content tab and click Certificates to open the Certificates window.
  4. Open personal certificates

  5. Double-click your practice's HI certificate in the Personal tab of the Certificates window. The HI certificate will contain your practice name in the Issued to column.
  6. Inspect the information provided in the General tab.
  7. Certificate not verified

  8. If the Certification Information reports that Windows does not have enough information to verify the certificate (shown in the example above), follow the instructions in Import certificates into the Windows Trusted Root Authority.
  9. If Windows can verify the certificate and lists the intended purpose, follow the instructions in Reimport certificates using the reimport tool on the server.

Import certificates into the Windows Trusted Root Authority

  1. In a Windows File Explorer, browse to C:\Program Files\Best Practice Software\BPS\MedicareCerts\.
  2. Right-click the certificate Medicare Australia Organisation CA and click Install certificate.
  3. The Certificate Import Wizard will open. Select a Store Location of Local Machine and click Next.
  4. Select Place all certificates in the following store and choose 'Trusted Root Certification Authorities'. Click Next.
  5. Confirm the details and click Finish.
  6. On Windows 7, a Security Warning message may appear. Click Yes to proceed.
  7. Repeat steps 2–6 for the certificate Medicare Australia Root CA.

Rerun the steps in Can Windows verify the Site certificate? to determine if the problem has been resolved. The General tab will show details similar to the following example if the Trusted Root Authority import was successful: 

Reimport certificates using the reimport tool on the server

IMPORTANT  When you import the Site and NASH certificates, you must log in to the Bp Premier server machine as a Windows administrator, and start Bp Premier by right-clicking on the desktop Bp Premier icon and selecting Run as Administrator.

If you do not know the server's administrator password, contact your IT support so an administrator can correctly import the certificates. Follow the instructions below on the Bp Premier server only.

Download the certificate reimport utility

If you don't have the reimport utility already, download the utility Certificate Re-Import Tool.

  1. Open the Best Practice Software website www.bpsoftware.net in a browser.
  2. Select ResourcesBp Premier Downloads from the menu.
  3. Under the Utilities section, select the utility Certificate Reimport Tool to expand.
  4. Click Download to download the .exe file to the default Downloads folder, or right-click download and select Save link as... or Save target as... to download the file to a known location.

Run the utility on the Bp Premier server

  1. Log in to Bp Premier server as a Windows administrator.
  2. Browse to the folder where you downloaded the utility and double-click on the file Cert_Reimport_Tool.exe.
  3. When the Best Practice Utility screen appears, click Run. The utility will only take a few seconds. The Complete screen will appear when the utility has run successfully.
  4. NOTE  If you receive the error 'Error opening local machine store - Access is denied' when running Cert_Reimport_Tool.exe, the logged-in Windows user is not an administrator. Log out and log back in as a Windows administrator.

  5. Click OK and Close.
  6. Right-click on the Bp Premier icon and select Run as administrator.
  7. Import both the Site certificate and NASH certificates again. See Configure Bp Premier for My Health Record for more information.
  8. Log out of Bp Premier, and log in again as a provider.
  9. Test that HI lookups and My Health Record access are working correctly on the server while logged in as a provider.
  10. If lookups and MHR work on the Bp Premier server, log in to each workstation in the practice and perform the same test to ensure that certificates have been distributed.

If a workstation is still having issues when testing HI lookups or accessing My Health Record

  1. Log in as a Windows Administrator on the workstation.
  2. Browse to the folder where you downloaded the utility and double-click Cert_Reimport_Tool.exe.
  3. When the Best Practice Utility screen appears, click Run. The utility will only take a few seconds. The Complete screen will appear when the utility has run successfully.
  4. Click OK and Close.
  5. Right-click on the Bp Premier icon and select Run as administrator.
  6. Log out of Bp Premier, and log in again as a provider.
  7. Test that HI lookups and MHR access is working correctly on the workstation while logged in as a provider.

NOTE  If HI lookups and MHR are working on the server and all workstations, you no longer need to run Bp Premier as administrator.