NASH PKI certificate issues

Versions affected: All supported Bp Premier versions

As of 13 March 2021, NASH SHA-1 PKI certificates have been deprecated by the Australian Government Digital Transformation Agency due to known vulnerabilities with SHA-1 encryption.

To increase security and compliance with the updated certificate framework, access to the Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing, and Secure Messaging is transitioning from NASH SHA-1 PKI Certificates to NASH SHA-2 PKI Certificates.

Services Australia will no longer issue NASH SHA-1 PKI Certificates after 13 March 2022.

How does this affect me?

Practices with a recent NASH certificate (generated after 15 May 2021) may experience the following issues in Bp Premier:

• Unable to connect to My Health Record with the error:



• Unable to view certain CDA documents either from referrals received or downloaded via My Health Record.
• A NASH certificate can not be deployed for multiple locations, causing issues connecting to My Health Record.

Cause

All NASH certificates generated after 15/05/2021 require an updated Medicare certificate also to be installed. The updated Medicare certificate was only made available by Services Australia on the 15/05/2021 and is not automatically installed with the NASH certificate.

Resolution

Best Practice Software has made available a utility that resolves all of the above issues and reinstalls the certificate framework for the new NASH certificate.

1. Right-click on the utility BP_Saffron_CertificateUpdater.exe here and select Save as or Save Target as. Your browser may alert that the file is a security risk. You can safely keep this file.
2. Copy the file and double-click to run the utility on every workstation, including the Bp Premier Server, that the Practice uses to access any of the following:
   • Healthcare Identifiers (HI)
   • My Health Record
   • Electronic Prescribing
   • Secure Messaging services.

You can resume using Bp Premier. If the issues keep recurring, contact Best Practice Software Support.

Deploy the certificate update across many computers

If you need to run the eHealth Certificate Update Utility on a large number of computers, you can extract the files to distribute from the utility through the Windows Command Prompt, and deploy the files to the workstations in your network through a Windows group policy or script.

Before you begin

• You will need to know which version of Saffron you are running: Saffron, or Saffron Service Pack 1. Select Help > About in Bp Premier to see which version you have installed.
• You will need Windows administrator permissions to run the utility and extract the files.

1. Download the utility BP_Saffron_CertificateUpdater.exe.
2. Press + R to open a Windows Run dialog. Type 'cmd' into the text field and click OK to open a command prompt.
3. Use the 'cd' command to go to the folder where you saved the update utility. Folder names that have spaces need quotes around the folder name.
4. Type the following command from the Command Prompt window: 'BP_Saffron_CertificateUpdater.exe /x'



5. Save each of the three files when prompted.



6. Two copies of "BPCertificateManager.exe" are extracted: one for version Saffron, one for version Saffron SP1. Right-click on the files and select Properties > Details to see which version the .exe file is for.

BpCertificateManager.exe 1.11.0.924 version for Saffron	BpCertificateManager.exe 1.11.1.934 for Saffron SP1

7. Distribute the files to the following folder locations on all affected workstations:

BpCertificateManager.exe	C:\Program Files\Best Practice Software\BPS\BPSupport\
Medicare Australia Organisation CA.cer	C:\Program Files\Best Practice Software\BPS\MedicareCerts\

8. Certificates will be distributed on a workstation correctly the next time a users logs into Bp Premier.

 

 

Last updated 20 August 2021