Advanced search
Knowledge Base
-- All --
NIH Public Knowledge Base
Search
Home
NIH Public Knowledge Base >
Application
> HHS ID Badge: Certificates - What to do after you renew
HHS ID Badge: Certificates - What to do after you renew
Article:
KB0020928
Published:
2024-02-01
Last modified:
2024-02-27
General Information
After you renew your digital certificates or replace your HHS ID Badge, please perform the actions listed below to make sure that you will be able to use your new digital certificates to send and receive secure email and login to applications.
Article Contents
Log in to your computer
Remove Your OLD Digital Certificates
Update Your NIH VPN Client Software
Re-Configure applications to use new certificates
Share your new certificates to receive encrypted email
Recover prior certificates to read old encrypted email
Log in to Your Computer
After you renew your certificates
Restart your NIH Windows workstation.
Once the login screen appears, connect to NIH network before logging in with your PIV/username & password. If you are remote,
connect to NIH VPN first
.
Note:
If you do not complete this step, you will receive an error message when attempting to use your PIV/ALT Card to sign in.
Back to top
Remove Your OLD Digital Certificates
Your old (prior) digital certificates are no longer useful and may cause problems when you use your smart card to log in to a computer, read encrypted email or digitally sign documents. Therefore these old certificates should be removed (deleted) from your computer.
Note:
You need PKI private keys to read encrypted emails. These keys were deleted when you renewed your certificates. Keeping your old digital certificates will not enable you to read old encrypted emails.
See below for instructions
on how to recover prior certificates to read old encrypted email.
See the following KB article
to learn about the relationship between digital certificates and private encryption keys:
HHS ID Badge: PKI General information
.
Windows
See the following NIH IT Knowledge Base article:
HHS ID Badge: Configure software after certificate renewal
.
MacOS
The MacOS token cache must be cleared after updating HHS ID Badge (PIV/Smart Card), certificates.
To clear the token cache:
Remove any smart cards that may be in the card reader.
As a local administrator, run the following command in a Terminal window:
Sudo rm –r /private/var/db/TokenCache/tokens
.
Note:
To avoid deleting important system files, this command must be entered exactly as it is shown, including spaces.
After the command is entered into the prompt, press Return to run the command.
Once the command finishes, you are returned to the Terminal command prompt and the new certificates are read by the computer.
Note:
The configuration process may take a few minutes.
Back to top
Update Your NIH VPN Client Software
Some users may experience problems using VPN and PIV cards after receiving the newer Entrust certificates (especially if they have not used the NIH VPN for the past several months). Please refer to the NIH IT Knowledge Base article:
Cisco AnyConnect VPN Client: Login issues with Entrust certificates
for more information.
Back to top
Re-Configure Applications to Use New Certificates
Many applications need to know which certificates to use for various PKI-enabled functions (e.g., Outlook, Adobe, Firefox, etc.). Please refer to following KB articles:
Microsoft Office: Outlook - Email encryption methods used at NIH
Adobe: Acrobat - Configure for use with digital certificates
HHS ID Badge: Configure software after certificate renewal
Back to top
Share Your New Certificates to Receive Encrypted Email
People often keep your email address in their local contacts list. Even though you published your certificate to the GAL
when you configured Outlook
or, if you are a Mac user, you
used the Publish Certificate to Active Directory (PAD) utility
, this
did not
update the certificates in anyone's local contacts list.
To ensure you receive encrypted email, send a digitally signed email to people who send you encrypted email and ask them to capture your email address and update their local contacts list. Updating a local contacts list from a digitally signed email automatically updates the certificates needed to send encrypted email to that email address.
Back to top
Recover Prior Certificates to Read Old Encrypted Email
If you are unable to read old encrypted email, you need to obtain copies of your previous digital certificates and associated private keys. To obtain these items, please see the NIH IT Knowledge Base article
on how to recover and install prior encryption certificates
.
Note:
Badges issued after October 1, 2012 have extra memory that enables them to store your earlier certificates (up to 5) which may make key recovery unnecessary.
Back to top
NIH IT Service Desk Contact Information
Local:
301-496-4357
Toll-Free:
1-866-319-4357
TTY:
711
NIH IT Service Desk Portal:
http://itservicedesk.nih.gov/
Feedback
Please type feedback before submitting
Your feedback has been submitted, thank you
Please submit descriptive feedback after flagging an article, or it will not be modified
Submit
Permalink
:
Was this helpful?
Thank you
Yes
No
Create Incident
Rate this article