OATI's Mission is to address and
produce innovative solutions to the
challenges facing the energy industry in a deregulated environment.
|
OATI's Mission is to address and
produce innovative solutions to the |
webCARES Support Frequently Asked
Questions
|
Renewal of the webCARES Root and Issuing CA certificates FAQ'sWhy are the webCARES Root and Issuing CA certificates not already installed in my browser? What does the HTTP 403 error I am getting mean? I am an End User and am getting the message "Client Certificate is untrusted or corrupt"? I am an End User. How do I install the webCARES Root and Issuing CA certificates into my browser? You do not need to worry about installing these certificates as they will be included in the file created when your webCARES Security Officer selects "Include all certificates in the certification path (if possible)" during the normal renewal, export, and installation of your certificate. Note: If you are an End User and are missing these certificates you can install both of them into your browser once using the OATIpkiChain2.p7b file. This file can NOT be used to install certificates for applications, programs, etc. • End Users: Installing the Root & Issuing Certificates • Download http://www.oaticerts.com/repository/OATIpkiChain2.p7b • Right click on file and choose “Install Certificate” • Click “Next” • Choose “Automatically select the certificate store based on the type of certificate” Note: This makes the certificates available to all applications run by the currently logged in Windows user (“i.e. Internet Explorer”) • Choose “Next”, “Finish”, “OK” (to Security Warning) and “OK” .• Services & Applications: Installing the Root certificate • Download http://www.oaticerts.com/repository/OATICA2.crt • Right click on file and choose “Install Certificate” • Click “Next” • Choose “Place all certificates in the following store” • Click “Browse” & check “Show physical stores” • Select “Trusted Root Certification Authorities”
•
Select “Local Computer” Note: This makes the certificate available to all services and applications even if no Windows user is logged in (i.e. IIS, .Net, custom programs, etc.) • Click “OK”, “Next”, “Finish”, and “OK” • Services & Applications: Installing the Issuing certificate • Download http://www.oaticerts.com/repository/OATIIA2.crt • Right click on file and choose “Install Certificate”
•
• Choose “Place all certificates in the following store” • Click “Browse” & check “Show physical stores” • Select “Intermediate Certification Authorities” • Select “Local Computer” Note: This makes the certificate available to all services and applications even if no Windows user is logged in (i.e. IIS, .Net, custom programs, etc.) • Click “OK”, “Next”, “Finish”, and “OK”. Why are the webCARES Root and Issuing CA certificates not already installed in my browser? "CA" stands for "Certificate Authority" and CA certificates are used by Certificate Authorities to prove (via a Digital Signature) that the end user certificates they issue are indeed issued from them. There are generally two kinds of CA certificates, Public and Industry. Public CA certificates are used by the general public and as such come preinstalled into most browsers. Industry CA certificates typically have items unique to a specific industry or industry standard (i.e. validity period, key usages, issuance policies, etc.) which prevents them from being preinstalled into a browser. This means end users who wish to use certificates issued from an Industry CA must first manually install its CA certificates.We do not use your certificates. Do we still need to install the new webCARES Root and Issuing CA certificates? Yes. If you have a web site, web service, or application which accepts OATI webCARES certificates as part of the login, authentication, or authorization process then you must install these certificates. If the certificates are NOT installed, an incomplete Certificate Trust List (CTL) will be sent to your users browser (or application) and they will be unable to choose the correct certificate when prompted. (i.e. the browser's "Client Authentication" list of certificates will not show any certificates issued from the new CA certificates or an application will give a "certificate untrusted or corrupt" message).What does the HTTP 403 error I am getting mean? When you are getting a HTTP 403 error immediately after choosing a client certificate or visiting a web site which uses SSL/TLS (i.e. starts with https://) it typically means you have not correctly installed the new webCARES Root and/or Issuing CA certificates. To confirm exactly what the error means please turn OFF "friendly" error messages.Display information on “HTTP 403” errors • If you are seeing an error displayed in the browser similar to the one below, the first step is to uncheck (disable) the Microsoft Internet Explorer “Show friendly HTTP error messages” and try again.
• Internet Explorer>Tools>Internet Options>Advanced Tab>Browsing Section> uncheck “Show friendly HTTP error messages”> OK • Close and re-open Internet Explorer and try browsing to the web site again.
I am an End User and am getting the message "Client Certificate
is untrusted or corrupt"? • Step 1: Confirm the OATI webCARES Issuing CA certificate is present. • Internet Explorer>Tools>Internet Options>Content Tab>Certificates Button>Intermediate Certification Authorities Tab. • Confirm OATI WebCARES Issuing CA is present. If not present click the "Import…" button and import the certificate downloaded from http://www.oaticerts.com/repository/OATIIA2.crt • Delete the OATI webCARES Root CA certificate if it is present in this store. Note: The OATI webCARES Root CA should only be in the Trusted Root Certification Authorities certificate store (folder).
• Step 2: Confirm the OATI webCARES Root CA certificate is present. • Internet Explorer>Tools>Internet Options>Content Tab>Certificates Button>Trusted Root Certification Authorities Tab. • Confirm OATI WebCARES Root CA is present. If not present click the "Import…" button and import the certificate downloaded from http://www.oaticerts.com/repository/OATICA2.crt • Delete the OATI webCARES Issuing CA certificate if it is present in this store. Note: The OATI webCARES Issuing CA certificate should only be in the Intermediate Certification Authorities certificate store (folder).
• Step 3: If steps 1 and 2 fail to fix the issue please reinstall the webCARES Root CA certificate and OATI webCARES Issuing CA certificate. Even if these certificates are displayed there are times when the link between the certificate and the corresponding keys can be broken. Reinstalling the certificate will reestablish this link. Please see the appropriate FAQ "How do I install the webCARES Root and Issuing CA certificates into my browser?" for instructions on reinstalling the webCARES Root and Issuing CA certificates. • Step 4: If steps 1, 2, and 3 fail to fix the issue please reboot the machine. .If you are seeing an error displayed in an application log file similar to "Client certificate is untrusted or corrupt" the first step is to make sure the new CA certificates are present in the correct certificate stores (folders) and try again. IMPORTANT: You must be a Windows Administrator to complete these steps. • Step 1: Confirm the OATI webCARES Issuing CA and OATI webCARES Root CA certificates are present. • Start Button>Run>MMC>OK button>this opens a blank Microsoft Management Console. • File>Add/Remove Snap-in>Add Button>Choose Certificates Snap-in>Add Button>Computer Account>Next>Local Computer>Finish>Close>OK
• Click the plus (“+”) sign to expand the Certificates (Local Computer)>Expand the Intermediate Certification Authorities store>Select the Certificates store (folder).
• Confirm OATI WebCARES Issuing CA is present. If not present right click on the Certificates folder and choose Import to import the certificate downloaded from http://www.oaticerts.com/repository/OATIIA2.crt • Delete the OATI Root CA certificate if it is present in this store. Note: The OATI webCARES Root CA should only be in the Trusted Root Certification Authorities certificate store (folder). • Step 2: Confirm the OATI webCARES Root CA certificate is present. • From the same Microsoft Management Console opened in the previous step… • Click the plus (“+”) sign to expand Certificates (Local Computer)>Expand the Trusted Root Certification Authorities store>Select the Certificates store. • Confirm the OATI WebCARES Root CA is present. If not present right click on the Certificates folder and choose Import to import the certificate downloaded from http://www.oaticerts.com/repository/OATICA2.crt
• Delete the OATI webCARES Issuing CA certificate if it is present in this store. Note: The OATI webCARES Issuing CA certificate should only be in the Intermediate Certification Authorities certificate store (folder). • Step 3: If steps 1 and 2 fail to solve the issue please reinstall the OATI webCARES Root CA certificate and OATI webCARES Issuing CA certificate. Even if these certificates are displayed there are times when the link between the certificate and the corresponding keys can be broken. Reinstalling the certificate will reestablish this link. Please see the FAQ "How do I install the webCARES Root and Issuing CA certificates into my Microsoft web server or application?" for instructions on reinstalling the webCARES Root and Issuing CA certificates. • Step 4: If steps 1, 2, and 3 fail to fix the issue please reboot the machine • Step 1. Download the new OATI webCARES Root CA certificate (http://www.oaticerts.com/repository/OATICA2.crt) and save it to your Java bin directory (i.e. C:\Program Files\Java\<JAVA HOME>\bin\OATICA2.cer) • Step 2. Add the new Root CA file downloaded in step 1 to your Java keystore . • From the Tools Menu>Options>Advanced section>Encryption tab>View Certificates button>Authorities tab |
