After you renew your digital certificates or replace your HHS ID Badge, please perform the actions listed below to make sure that you will be able to use your new digital certificates to send and receive secure email and login to applications.
Log in to Your Computer
The first thing you should do after renewing your HHS ID Badge (Smart Card) or digital certificates is to use your smart card to log in to your Windows or Mac OS X computer
while connected to the NIH network. This enables you to use your smart card to login to the computer when it is not connected to the NIH network and also verifies that everything is working as expected.
Remove Your Old Digital Certificate
Your old (prior) digital certificates are no longer useful and may cause problems when you use your smart card to log in to a computer, read encrypted email or digitally sign documents. Therefore these old certificates should be removed (deleted) from your computer.
Note: You need PKI private keys to read encrypted emails; these keys were deleted when you renewed your certificates. Keeping your old digital certificates will NOT enable you to read old encrypted emails. See below for instructions on how to recover prior certificates to read old encrypted email. See the PKI 101 tutorial to learn about the relationship between digital certificates and private encryption keys.
Windows Computers
See NIH IT Knowledge Base article on how to use IE to remove certificates.
Macintosh Computers
The Mac OS token cache must be cleared after updating HHS ID Badge (PIV/Smart Card), certificates.
To clear the token cache, first remove any smart cards that may be in the card reader, then as a local administrator, run the following command in a Terminal window:
Sudo rm –r /private/var/db/TokenCache/tokens
Note: To avoid deleting important system files, this command must be entered exactly as it is shown, including spaces. After the command is entered into the prompt, press the Return key on the keyboard to run the command. Once the command finishes, it will return to the Terminal command prompt and the new certificates will be read by the computer. The configuration process may take a few minutes.
Update your NIH VPN Client Software
Some users may experience problems using VPN and PIV cards after receiving the newer Entrust certificates (especially if they have not used the NIH VPN for the past several months). Please refer to the NIH IT Knowledge Base article on Using VPN with Entrust Certificates for more information.
Re-Configure Applications
Many applications need to know which certificates to use for various PKI-enabled functions (e.g., Outlook, Adobe, Firefox, etc.). Please refer to following instructions:
Share Your New Certificates to Receive Encrypted Email
People often keep your email address in their local contacts list. Even though you published your certificate to the GAL when you configured Outlook or, if you are a Macintosh user, you used the Publish Certificate to Active Directory (PAD) utility, this did NOT update the certificates in anyone's local contacts list.
To ensure you receive encrypted email, send a digitally signed email to people who send you encrypted email and ask them to capture your email address and update their local contacts list. Updating a local contacts list from a digitally signed email automatically updates the certificates needed to send encrypted email to that email address.
Recover Prior Certificates to Read Old Encrypted Email
If you are unable to read old encrypted email, you need to obtain copies of your previous digital certificates and associated private keys. To obtain these items, please see the NIH IT Knowledge Base article on how to recover and install prior encryption certificates.
Note: Badges issued after October 1, 2012 have extra memory that enables them to store your earlier certificates (up to 5) which may make key recovery unnecessary.
Information and Assistance
For additional information, search the NIH IT Knowledge Base for tutorials, instruction sheets and user guides or refer to the appropriate How-To Guide.
For questions or user support, please contact the NIH IT Service Desk.