Renewal of the webCARES Root
and new Issuing CA 2017 certificates FAQ's
How do I install the new Issuing CA 2017 certificate into my
Java Keystore?
How do I install the webCARES Root and new
Issuing CA 2017 certificates into my Mozilla Firefox browser?
I am an End User. How do I install the webCARES Root and new
Issuing CA 2017 certificates into my Internet Explorer (IE) browser?
I am an Administrator. How do I install the webCARES Root and
new Issuing CA 2017 certificates into my Microsoft IIS web
server or application?
We do not use your certificates. Do we still need to install the
webCARES Root and new Issuing CA 2017 certificates?
I am an End User and am getting the message "Client Certificate
is untrusted or corrupt."
I am an Administrator or developer and am getting the message
"Client Certificate is untrusted or corrupt."
My application uses Java. How do I install your webCARES Root
and new Issuing CA 2017 certificates so that my Java application
will work?
How do I install the new Issuing CA 2017 certificate into my
Java Keystore?
-
As an Administrator copy the default Java CA Certificates keystore
(cacerts) from the security to bin directory
-
(Windows Only) Right click on the Command Prompt and chose "Run As Administrator"
-
Copy "C:\Program Files\Java\jreXXX\lib\security\cacerts" "C:\Program Files\Java\jreXXX\bin" (Note: replace jreXXX with your actual directory name (i.e., jre1.8.0_131)
-
Download the new
Issuing CA 2017 certificate
-
Download the
http://www.oaticerts.com/repository/OATIIA2017.crt
certificate and save it as C:\Program Files\Java\jreXXX\bin\OATIIA2017.cer
-
Import the new Issuing CA 2017 certificate
-
C:\Program Files\Java\jreXXX\bin>keytool
-import -trustcacerts -alias
OATIissuing2017 -file
OATIIA2017.cer -keystore cacerts
-storepass changeit
-
Trust this certificate? [no]: Yes Certificate was added to keystore
-
Confirm the new Issuing CA 2017 certificate has been added to the cacerts keystore
-
C:\Program Files\Java\j2re1.5.0\bin>keytool
-list -keystore cacerts -storepass changeit -alias OATIissuing2017
-
The cacerts keystore should include this entry:
oatiissuing2017, Month Day, Year, trustedCertEntry,
Certificate fingerprint (SHA1):
84:F0:67:56:2C:59:72:15:B3:CF:6B:FD:D3:C7:1F:DF:21:64:BE:F8
-
As Administrator, copy default CA Certificates keystore
(cacerts) from bin directory back to security directory as
this is the default location which Java code looks for it
-
Copy C:\Program
Files\Java\j2re1.5.0\lib\security\
Back to top
How do I install the webCARES Root and new
Issuing CA 2017 certificates into my Mozilla Firefox browser?
• From the Tools
Menu > Options > Advanced section > Certificates tab > "View
Certificates" button > Authorities tab
• Click the "Import"
button. Find and open the OATI webCARES Root CA file
(OATICA2.cer) downloaded from
http://www.oaticerts.com/repository/OATICA2.crt
• Select each check box to
trust the "OATI webCARES Root CA" for identifying web sites,
email users, and software developers, and click OK
• Click the "Import"
button. Find and open the webCARES Issuing CA 2017
certificate file (OATIIA2017.cer) downloaded from
http://www.oaticerts.com/repository/OATIIA2017.crt
• Select each check box to
trust the "webCARES Issuing CA 2017" for identifying web
sites, email users, and software developers, and click OK
• Verify the webCARES
Issuing CA 2017 and OATI webCARES Root CA are installed
under the Open Access Technology International heading
Back to top
I am an End User. How do I install the webCARES Root and new
Issuing CA 2017 certificates into my Microsoft IE browser?
OATI is part of the Microsoft Root Certificate distribution program so the webCARES Root and new
Issuing CA 2017 certificates will be automatically downloaded during an SSL/TLS
session or installed during the normal renewal, export, and installation of your End User certificate by your webCARES
Security Officer (by selecting "Include all certificates in the certification path (if possible)".)
Note: If you are an End User and are missing these
certificates you can install both of them into your IE browser
using the OATIpkiChain4.p7b file. This file can NOT be used to
install certificates for applications, programs, etc.
•
End Users: Installing
the Root & Issuing Certificates
•
Download
http://www.oaticerts.com/repository/OATIpkiChain4.p7b
•
Right click on file and
choose “Install Certificate”
•
Click “Next”
•
Choose “Automatically select
the certificate store based on the type of certificate”
Note: The certificates are installed into the currently logged on user's Windows profile. Each Windows user must install the certificates into their own Windows profile.
•
Choose “Next,” “Finish,”
“OK” (to Security Warning) and “OK”
.
Back to top
I am an Administrator. How do I install the webCARES Root and
new Issuing CA 2017 certificates into my Microsoft IIS web
server or application?
•
Services &
Applications: Installing the Root certificate
•
Download
http://www.oaticerts.com/repository/OATICA2.crt
•
Right click on file
and choose “Install Certificate”
•
Click “Next”
•
Choose “Place all
certificates in the following store”
•
Click “Browse”
•
Select “Trusted
Root Certification Authorities”
•
Click “OK,” “Next,”
“Finish,” and “OK”
•
Services &
Applications: Installing the Issuing CA 2017
certificate
•
Download
http://www.oaticerts.com/repository/OATIIA2017.crt
•
Right click on file
and choose “Install Certificate”
•
Click “Next”
•
Choose “Place all
certificates in the following store”
•
Click “Browse”
•
Select
“Intermediate Certification Authorities”, "Local Computer"
•
Click “OK,” “Next,”
“Finish,” and “OK”.
Back to top
We do not use your certificates. Do we still need to install the
webCARES Root and new Issuing CA 2017 certificates?
Yes. If you have a web site, web
service, or application which accepts OATI webCARES certificates
as part of the login, authentication, or authorization process,
then you must install these certificates. If the certificates
are NOT installed, an incomplete Certificate Trust List (CTL)
will be sent to your users browser (or application) and they
will be unable to choose the correct certificate when prompted
(i.e., the browser's "Client Authentication" list of certificates
will not show any certificates issued from the new CA
certificates or an application will give a "certificate
untrusted or corrupt" message).
Back to top
I am an End User and am getting the message "Client Certificate
is untrusted or corrupt."
If you are seeing an error displayed in the browser similar to
the one below, the first step is to make sure the webCARES Root
and new Issuing CA 2017 certificates are installed and present
in the correct certificate stores (folders) and try again.
IMPORTANT: These
troubleshooting steps are for an End User who is
experiencing this issue. If a similar error is found in an
application or programs log file, or given in the browser while
testing the application, please see the FAQ "I
am an Administrator or developer and am getting the message
"Client Certificate is untrusted or corrupt."
.
•
Step 1: Confirm
the webCARES Issuing CA 2017 certificate is present.
•
Internet
Explorer > Tools > Internet Options > Content Tab > "Certificates"
button > Intermediate Certification Authorities Tab
•
Confirm webCARES
Issuing CA 2017 is present. If not present, click the "Import…"
button and import the certificate downloaded from
http://www.oaticerts.com/repository/OATIIA2017.crt
•
Delete the OATI
webCARES Root CA certificate if it is present in this store.
Note: The OATI webCARES Root CA should only be in the Trusted
Root Certification Authorities certificate store (folder)
•
Step 2: Confirm the
OATI webCARES Root CA certificate is present.
•
Internet
Explorer > Tools > Internet Options > Content Tab > "Certificates"
button > Trusted Root Certification Authorities Tab
•
Confirm OATI
WebCARES Root CA is present. If not present, click the "Import…"
button and import the certificate downloaded from
http://www.oaticerts.com/repository/OATICA2.crt
•
Delete the webCARES
Issuing CA 2017 certificate if it is present in this store.
Note: The webCARES Issuing CA 2017 certificate should only be in
the Intermediate Certification Authorities certificate store
(folder)
•
Step 3: If steps 1
and 2 fail to fix the issue please reinstall the webCARES Root
CA certificate and webCARES Issuing CA 2017 certificate. Even if
these certificates are displayed, there are times when the link
between the certificate and the corresponding keys can be
broken. Reinstalling the certificate will reestablish this link.
Please see the appropriate FAQ "How
do I install the webCARES Root and new Issuing CA 2017
certificates into my browser?" for instructions on
reinstalling the webCARES Root and new Issuing CA 2017
certificates.
•
Step 4: If steps 1,
2, and 3 fail to fix the issue please reboot the machine.
.
Back to top
I am an Administrator or developer and am getting the message
"Client Certificate is untrusted or corrupt."
If you
are seeing an error displayed in an application log file similar
to "Client certificate is untrusted or corrupt" the first step
is to make sure the new CA certificates are present in the
correct certificate stores (folders) and try again.
IMPORTANT: You must be a Windows Administrator to complete these
steps.
•
Step 1: Confirm the
webCARES Issuing CA 2017 and OATI webCARES Root CA certificates
are present.
•
"Start"
button > Run > MMC > "OK" button > this opens a blank Microsoft Management
Console
•
File > Add/Remove
Snap-in > Choose Certificates Snap-in > "Add" button > Computer
Account > Next > Local Computer > Finish > Close > OK
•
Click the plus
(“+”) sign to expand the Certificates (Local Computer) > Expand
the Intermediate Certification Authorities store > Select the
Certificates store (folder)
•
Confirm webCARES
Issuing CA 2017 is present. If not present right click on the
Certificates folder and choose Import to import the certificate
downloaded from
http://www.oaticerts.com/repository/OATIIA2017.crt
•
Delete the OATI
webCARES Root CA certificate if it is present in this store.
Note: The OATI webCARES Root CA certificate should only be in
the Trusted Root Certification Authorities certificate store
(folder)
•
Step 2: Confirm the
OATI webCARES Root CA certificate is present.
•
"Start"
button > Run > MMC > OK button > this opens a blank Microsoft Management
Console
•
File > Add/Remove
Snap-in > Choose Certificates Snap-in > "Add" button > Computer
Account > Next > Local Computer > Finish > Close > OK
•
Click the plus
(“+”) sign to expand Certificates (Local Computer) > Expand the
Trusted Root Certification Authorities store > Select the
Certificates store
•
Confirm the OATI
WebCARES Root CA is present. If not present right click on the
Certificates folder and choose Import to import the certificate
downloaded from
http://www.oaticerts.com/repository/OATICA2.crt
•
Delete the webCARES
Issuing CA 2017 certificate if it is present in this store.
Note: The webCARES Issuing CA 2017 certificate should only be in
the Intermediate Certification Authorities certificate store
(folder)
•
Step 3: If steps 1
and 2 fail to solve the issue please reinstall the OATI webCARES
Root CA certificate and webCARES Issuing CA 2017 certificate.
Even if these certificates are displayed, there are times when
the link between the certificate and the corresponding keys can
be broken. Reinstalling the certificate will reestablish this
link. Please see the FAQ "How
do I install the webCARES Root and new Issuing CA 2017
certificates into my Microsoft web server or application?"
for instructions on reinstalling the webCARES Root and new
Issuing CA 2017 certificates.
•
Step 4: If steps 1,
2, and 3 fail to fix the issue please reboot the machine
Back to top
My application uses Java. How do I install your webCARES Root
and new Issuing CA 2017 certificates so that my Java application
will work?
• Go to Step 3 if the
OATI webCARES Root CA certificate has already been installed
• Step 1:
Download the OATI webCARES Root CA certificate (http://www.oaticerts.com/repository/OATICA2.crt)
and save it to your Java bin directory (i.e., C:\Program
Files\Java\<jreXXX>\bin\OATICA2.cer)
• Step 2: Add the new Root CA
file downloaded in Step 1 to your Java keystore
Note: Your Java Keystore name
and password will be different than what is used in this
example.
C:\Program
Files\Java\jreXXX\bin>keytool -import -trustcacerts
-alias OATIroot2038 -file OATICA2.cer -keystore cacerts -storepass changeit
Owner: CN=OATI WebCARES Root
CA, O=Open Access Technology International Inc,
L=Minneapolis, ST=MN, C=US
Issuer: CN=OATI WebCARES Root
CA, O=Open Access Technology International Inc,
L=Minneapolis, ST=MN, C=US
Serial number:
25762066a7560874f9004bfa1c82841
Valid from: Tue Jun 03
14:28:31 CDT 2008 until: Thu Jun 03 14:36:00 CDT 2038
Certificate fingerprints:
MD5:
70:0C:AA:D0:49:E7:7B:0B:EB:93:77:FA:57:1D:19:73
SHA1:
4B:6B:D2:D3:88:4E:46:C8:0C:E2:B9:62:BC:59:8C:D9:D5:D8:40:13
Trust this certificate? [no]:
y
Certificate was added to
keystore
• Step 3: Download the
new webCARES Issuing CA 2017 certificate (http://www.oaticerts.com/repository/OATIIA2017.crt)
and save it to your Java bin directory (i.e., C:\Program
Files\Java\jreXXX\bin\OATIIA2017.cer)
• Step 4: Add the new
Issuing CA 2017 file to your Java keystore
Note: If the OATI webCARES Root CA certificate is not already added to the keystore then you
MUST add new Root CA certificate first
(see Steps 1 and 2 above). To see if the OATI webCARES Root CA Certificate is installed, run Step 5 below.
Note: Your Java
Keystore name and password may be different then
what is used in this example.
C:\Program Files\Java\jreXXX\bin>keytool -import
-trustcacerts -alias OATIissuing2017 -file
OATIIA2017.cer -keystore cacerts -storepass changeit
Trust this certificate? [no]: Y
Certificate was added to keystore
•
Step 5: Confirm the webCARES Root and new Issuing CA 2017
Certificates are present in the Keystore:
Note: Your Java Keystore name and password may be
different then what is used in this example and you
may have a different number of entries. Please
confirm you have the "oatiroot2038"
and "oatiissuing2017"
entries.
C:\Program Files\Java\jreXXX\bin>keytool -list -keystore cacerts -storepass changeit
oatiroot2038, Month Day, Yr, trustedCertEntry,
Certificate fingerprint (MD5):
70:0C:AA:D0:49:E7:7B:0B:EB:93:77:FA:57:1D:19:73
oatiissuing2017, Month, Day, Yr, trustedCertEntry,
Certificate fingerprint (SHA1):
84:F0:67:56:2C:59:72:15:B3:CF:6B:FD:D3:C7:1F:DF:21:64:BE:F8
.
Back to top
|
