The Office of the Chief Information Officer

This page contains frequently asked questions and answers about using the PKI digital certificates on your HHS smart card ID badge. There are also a number of how-to guides that provide detailed instructions for configuring applications to work with your smart card.

• Troubleshooting
• Badge Questions
• Certificate Questions
• E-Mail Questions
• Smart Card Login Questions
• ActivClient Questions
• Information and Assistance

Troubleshooting

1. Why do I get a warning that Certificates Have or Will Soon Expire?
   
   

   If you received the new 128k PIV Card it may contain your prior (expired) encryption certificates. If so, the ActivClient middleware will tell you that these old encryption certificates are near or past their expiration date (ActivClient automatically checks for expiring certificates after your smart card has been in the card reader for at least 20 seconds).

   If the message refers only to Key Management History certificates, (i.e., your old encryption certificates), select the �Do not remind me� radio button to disable future warnings about those certificates. However, if the message refers to 3 different types of certificates that have the same expiration date, it is time to renew your smart card certificates

   For more information, please refer to the NIH Knowledge Base HHS ID Badge (PIV/Smart Card) FAQs.

2. Why does the computer say it cannot recognize my card type?
   
   

   If your badge used to work, one possibility is that the badge and/or smart card reader is dirty. Try using a Smart Card Cleaning Card.

   If that doesn't work, follow the trouble shooting guides to verify that your system is properly configured. If all else fails, you may need to replace your badge.

3. I just got a new badge, why doesn't it work with my computer?
   
   

   Badges issued after October 1, 2012 have additional memory on them to store old email encryption keys. These new 128k PIV cards need an ActivClient hotfix to work. Please contact the NIH IT Service Desk for assistance.

4. Why does Microsoft tell me "The system could not log you on. Your credentials could not be verified"?
   
   

   You will get this message if the HHS Domain Device Root CA is not in your Local Computer Trusted Root Certification Authorities Store. See Managing Windows Certificate Chains for more information.

5. Why does my screen lock when I remove my smart card?
   
   

   What happens when you remove your smart card is determined by the data value of the ScRemoveOption value in the following Microsoft registry key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

   Value: ScRemoveOption (REG_SZ)
   Can be set to: 0-No action, 1-Lock workstation, 2-Force logoff

   There is a FDCC requirement to set this value to 1. However, NIH has waved this requirement allowing this value to be set to 0 (no action)

Badge Questions

1. What do I do if I forgot my PIN?
   
   

   Click here for instructions on how to reset your PIN.

2. What do I do if my badge is lost or stolen

   Click here for instructions on replacing your badge.

3. I got a new badge and/or renewed my certificates. What do I need to do?
   
   

   Follow these instructions for updating your applications when you receive a new badge and/or digital certificates.

Certificate Questions

1. How can I tell which certificate is used for what?
   
   

   New certificates have a certificate type code that appears after your name:

   -A indicates that the certificate is used for authentication.
   -E indicates that the certificate is used for email encryption.
   -S indicates that the certificate is used for digital signatures.

2. Why am I getting a warning that my certificates have or will soon expire?
   
   

   After your smart card has been in the card reader for at least 20 seconds, the ActivClient software installed on your computer automatically checks to see if any of the certificates on your smart card are near or past their expiration date. If you have the new 128k PIV card, this includes the old encryption certificates that may be on your card. If the message refers only to Key Management History certificates, the user should select the Do not remind me radio button to disable future warnings regarding these old encryption certificates. Otherwise, if the message refers to 3 different types of certificates that have the same expiration date, it is time to renew your smart card certificates. See the HHS ID Badge (PIV/Smart Card) FAQs for more information.

3. How do I get rid of old certificates?
   
   

   Old certificates (e.g., certificates left over after you updated your badge) can cause problems and confusion. When you renew your certificates you should always remove the prior ones. See instructions on how to remove old certificates.

4. What is the PIV Users certificate?
   
   

   The digital certificate issued to PIV Users supports physical access. It is currently not used at NIH.

E-Mail Questions

1. I got new certificates (or a new badge), how do I read my old encrypted email?
   
   

   Follow these key recovery instructions to obtain copies of your prior certificates, which you can then use to read old encrypted emails. When you get new certificates you will also need to reconfigure your applications to use them. Click here for more information.

2. Can I read encrypted E-Mail on my BlackBerry?
   
   

   Yes. Click here for instructions on using your smart card with a BlackBerry.

3. How do I configure my E-Mail client (e.g., Outlook) to work with my smart card?
   
   

   Click here for instructions on how to configure Applemail, Entrourage or Outlook to work with your smart card.

4. How do people send me an encrypted email?
   
   

   People need a copy of your email encryption digital certificate in order to send you an encrypted email. NIH staff can get your digital certificate from the NIH Global Access List (GAL) providing that you published your certificate to the GAL. For people outside of NIH, you can send them a digitally signed email which includes a copy of your email encryption digital certificate that they can capture into their local contacts list (verify that the Send these certificates with signed messages option is checked in Outlook's encrypted e-mail settings). See the smart card email how-to guides for more information.

5. When I send an encrypted email, why do I see the message Microsoft Outlook had problems encrypting this message vecause the following recipients had missing or invalid certificates, or conflicting or unsupported encryption capabilities?
   
   

   You will see this message if either you don't have the recipient's email encryption digital certificate or the certificate you have is out-of-date (usually because you are using information in your local contacts list). Please refer to Solving Outlook Encryption Problems for information on how to resolve this problem.

6. When I publish to the GAL, why does Outlook say it can not find my certificates?
   
   

   First, check the instructions to make sure Outlook is properly configured. Then follow the steps described in the HHS ID Badge (PIV/Smart Card) diagnostic guide (Windows) to verify that your smart card certificates are correct and that your computer is configured properly.

7. When I read an encrypted e-mail, why does Outlook say Your Digital ID name can not be found by the underlying security system?
   
   

   This error message is displayed when Outlook can not find the private key associated with the digital certificate used to encrypt the e-mail. First, make sure your smart card is in your smart carder when you try to read the message.

   If this is a brand new e-mail message, make sure that your current smart card certificate is published to the GAL (see the NIH Smart Card Outlook Configuration and User Guide. It is also possible that the sender used an old certificate from their contacts list to send it to you. Have the sender get your new certificate from the GAL or send them a digitally signed email so that they can capture your new certificate to their contacts list. Then have the sender resend the encrypted e-mail to you.

   If you are trying to read an old email, and you have a newer smart card, you will need to recover your old smart card keys. If you previously had software certificates, you will need to to contact the HHSIdentity Help Desk to recover (get back) your old software certificates and private keys.

   Please see Solving Outlook Encryption Problems for more information.

Smart Card Login Questions

1. Can I use my smart card to login when my computer is not connected to the network (i.e., NIHnet)?
   
   

   Yes, but only if you had previously used your smart card to login to your computer when it was attached to the network. When you login to Active Directory, Microsoft stores (caches) your validated credentials on your computer; when you log in without a network connection your credentials (smart card or password) are compared to what is stored in your computer.

   Note: If you renew your certificates or PIV smart card badge, you must login to Active Directory (the network) to make sure the cache is updated with your new certificates. This is also true if you change your password (i.e., you must login with your new password to make sure it is cached).

ActivClient Questions

1. Can I install ActivClient on my home computer?
   
   

   Yes. ActivClient software is licensed per badge. You may install it on as many computers as you need.

2. Is ActivClient software required?
   
   

   Every computer needs PIV middleware to enable it to recognize and use the digital certificates on your smart card. Some operating systems have this middleware built-in (e.g., Windows 7, Mac 10.6.4+). However, even on systems that have built-in middleware, ActivClient is recommended so that you can take advantage of the additional features and functionality that it provides.

3. Do I need the ActivClient hotfix?
   
   

   Maybe. If your smart card is working with your computer and software, you do not need the hotfix. However, if you are having problems with your smart card the hotfix may address these issues (e.g., not recognizing the new 128k PIV cards used at NIH, Adobe digital signature problems, etc.) . Please see the ActivClient Hot Fix Readme File to see if the latest hot fix addresses your problem. You must have system administrator privileges to install the hotfix.

4. How do I configure ActivClient for shared computers?
   
   

   On shared computers, ActivClient can be configured to automatically remove your digital certificates when you remove your smart card. Click here for configuration instructions.

Information and Assistance

For additional information, search the NIH IT Knowledge Base for tutorials, instruction sheets and user guides or refer to the appropriate How-To Guide.

For questions or user support, please contact the NIH IT Service Desk.