Troubleshoot NASH certificate installation

When running HI Provider Directory or accessing My Health Record from Bp VIP.net, you may receive one of the following errors:

• An error occurred attempting to connect to the HI service. No certificate was found with serial number 'nnnnnn'.
• An error occurred attempting to connect to the HI service. Keyset does not exist.
• Unable to access a PCEHR for this patient. Could not establish secure channel for SSL/TLS with Authority Error.
• Unable to access My Health Record for this patient. Certificate was not found with criteria 'xxxxxx'.

These errors are caused by the NASH certificate not being imported correctly, or Windows not trusting a PKI certificate because the Medicare certificate did not install.

For most Bp VIP.net installations, NASH certificates are only installed on the server computer. When Bp VIP.net is started on a client computer, the client will pull any updated certificates from the server and install them in the client's Windows certificate store. You may still need to do individual installations of the NASH certificate for Thick Client set ups.

Can Windows verify the Site certificate?

Perform this step first to determine how to correct the issue.

1. From the Windows desktop, run a search for 'internet options'. Double-click the result to open the Internet Options settings.



2. Select the Content tab and click Certificates to open the Certificates window.



3. Double-click your practice's HI certificate in the Personal tab of the Certificates window. The HI certificate will contain your practice name in the Issued to column.
4. Inspect the information provided in the General tab.



5. Click on the Certificate Path to verify the chain of trust.

If a red cross is indicated on any of the levels of the chain of trust and the Certification status reports that the CA Root certificate is not in the Trusted Root Certification Authorities store, the chain has not been established.

Try the following to resolve the chain of trust:

1. If the Certification status reports that the CA Root certificate is not trusted, check that the NASH certificate has been installed on the local machine rather than through Internet Options. Installing it the local machine establishes the chain of trust as it installs all certificates within the NASH certificate.
2. Import the Root and Organisation certificates into the Trusted certificate store.

Install the root and organisation certificates

1. Double click on the Site Personal Information Exchange file to open the Certificate Import Wizard.
2. Select Local Machine in the Store Location section and click the Next button.
3. On the File to Import screen select the Browse button to display the contents of the NASH certificate.



4. Select the Organisation certificate and click Open.
5. Click Next on the Certificate Import Wizard.



6. Select Place all certificates in the following store and click the Browse button.
7. Select Trusted Root Certification Authorities from the Certificate Store.

IMPORTANT Install the certificate into both the Personal and Trusted Root Certificate stores. You will need to do this one at a time.

8. Click the OK button.
9. Click Next on the Certificate Import Wizard.
10. Click the Finish button to complete the import.
11. Repeat the steps above to import the Root Certificate.
12. Verify the chain of trust is now established for the NASH certificate.

 

Last modified: July 2020