Transition to NASH SHA-2 Certificates - Notifications

ARCHIVED NOTICES

Services Australia Advice **Amendment** Queens Birthday Long Weekend

Please be advised that there is an amendment to the availability of the vendor environment on the upcoming Queens Birthday Public Holiday on Monday 14 June 2021.

• The OTS Product Integration and Helpdesk teams will not be available.
• The Developer Support team will not be available.
• The OTS Helpdesk phone number 1300 550 115 will be diverted to the on-call number for critical production issues only.

The vendor environment will be available.

Should you have any queries regarding this advice please contact the Developer Support team at [email protected].

---

RESOLVED: Issue impacting the My Health Record system involving the new NASH certificate​

Fri 4 June 2021 2:32 PM

The issue preventing some organisations from uploading to the My Health Record system with the new NASH and OCA certificates, as outlined (below), has been RESOLVED.

Developer Support Team
Health Systems Branch
CORE TECHNOLOGY SERVICES

Tue 1/06/2021 5:21 PM

Please be advised that organisations which update their certificates to the new NASH and OCA may be unable to upload documents to the My Health Record system and may receive the error: PCEHR_ERROR_3002 - Document metadata failed validation.

Recommendations

• Advise your clients to delay the installation of the new NASH and OCA certificates until we have provided confirmation that the issue has been resolved.
• Where possible, please revert your clients to the old NASH and OCA certificate configuration until we have provided confirmation that the issue has been resolved.

Action

• Please reach out to [email protected] to report if any of your clients have received the PCEHR_ERROR_3002 - Document metadata failed validation error after installing the new NASH and OCA certificate.

Developer Support Team 
Health Systems Branch 
CORE TECHNOLOGY SERVICES

---

Services Australia advice: New PKI Certificate Chain of Trust now available

Services Australia’s new PKI Certificate Chain of Trust (SHA-1 OCA) is now available to download from the Verizon Certificates Australia website. Please see the attached PDF for steps on how to access and download the new SHA-1 OCA.

https://developer.digitalhealth.gov.au/sites/default/files/how-to-access-the-new-sha-1-oca-2-june-21.pdf

The new SHA-1 OCA makes up the necessary Chain of Trust used for both the Medicare and NASH PKI Certificates. All SHA-1 Certificates issued from 16 May 2021 are issued under the new Chain of Trust.

All key stores should be updated to include the new SHA-1 OCA as soon as possible. This will ensure your sites are not encountering SSL errors when they access programs outside of Services Australia.

Should you have any questions about this advice, contact the Developer Support team at [email protected].

---

Action required: PKI SHA-1 OCA Renewals

If a healthcare provider has requested a NASH certificate after the 15^th of May 2021, the organisation will need to ensure the new SHA-1 OCA is installed into their machine in order to connect to the My Health Record system. Depending on your software’s configuration, the installation of the intermediary certificate (SHA-1 OCA) may happen automatically (i.e. using the Windows Certificate Import Wizard), if your system does not allow for automatic installation please advise your clients to download the new certificates from the Verizon website and provide instructions to your client for installation.

Actions - if your system is not able to automatically update the intermediary certificate when installing the NASH certificate:

1. provide instructions to your clients on how to access the SHA-1 OCA; and
2. provide instruction on how to install the SHA-1 OCA into their machine.

---

Services Australia advice: PKI SHA-1 OCA Renewal Deployment Successful 

Services Australia is pleased to confirm that the deployment of renewed PKI Certificate Chain of Trust (otherwise referred to as the new SHA-1 OCA) was successfully implemented on 15 May 2021.

Next steps

• Sites with version 6.11.4 (and above) of the adaptor (client, server and enterprise), no further action is required. The new certificate will be automatically renewed via their normal transmission, unless their certificates have already been auto renewed twice previously (certificates already issued twice will need to be manually renewed via a CD). 
• Sites with version 6.11.3 (and below) of the adaptor will have their new certificates sent out on a CD prior to their current certificate expiring date.
• Software developer supporting sites participating in digital health programs using NASH PKI Certificates must ensure installation of the new OCA and the SHA-2 OCA to ensure business continuity.
• Note: All new site certificates will have an expiry date of June 2024 (the new OCA expiry date is July 2026 which is visible through a PSI or JKS certificate store).

It is still essential to develop web services compatible software and commence product certification (Notice of Integration) by November 2021, and deploy your products to your end-users by 13 March 2022.

For more information about the OCA renewal, email [email protected].

For technical assistance, call Services Australia’s Online Technical Support team on 1300 550 115.

---

Production PKI Certificate Chain of Trust

Services Australia previously advised they will be renewing the PKI Certificate Chain of Trust (otherwise referred to as the new SHA-1 OCA) in the production environment. This will ensure ongoing business continuity in the transition to PRODA and NASH SHA-2. Current production SHA-1 PKI Certificates will not be impacted however, over the coming months, all Medicare SHA-1 PKI Site Certificates will be renewed under the new SHA-1 OCA. Please note: PKI Site Certificates in the vendor test environment will also continue without disruption.

From Sunday 16 May 2021, sites with Client Adaptor 6.11.4 and above who currently transmit to Services Australia will have the new SHA-1 OCA automatically pushed out to them.

Clients on Client Adaptor 6.11.3 and below will need to update their certificate store manually. The new production SHA-1 OCA will be included when a site receives their new PKI certificate on a CD, where their new certificate is issued after 16 May 2021.

Site certificates issued under the new production SHA-1 OCA will have an expiry date in June 2024.

NASH PKI certificates will also leverage the new production SHA-1 OCA to ensure continuity for digital health programmes, including Healthcare Identifiers, My Health Record and Secure Messaging. Please note that NASH will continue to transition to SHA-2 PKI certificates.

The new production OCA will be available on the Verizon website. We will let you know when it is available.  

In the PSI or JKS certificate store, you will see the expiry date 3 July 2026 for the new OCA displayed.

Below is an example showing a TEST OCA in a PROD store. The RCA is dated July 10 2026.

Why are we renewing the PKI OCA?

The renewal of the SHA-1 OCA PKI Certificate is a business continuity measure to provide Services Australia with control of the transition to PRODA, should something unforeseen occur between now and 13 March 2022.

If we were required to renew all Medicare PKI certificates at the last minute, it would take months for the renewed Medicare PKI certificates to be deployed. This would result in loss of access to digital channels for healthcare services to Services Australia and would create a huge impost on the healthcare system.

Given the significance of this risk, Services Australia determined the renewal of the SHA-1 OCA PKIs to be the best mitigation strategy.

What does this mean for you?

It is still essential to develop web services compatible software and commence product certification (Notice of Integration/Notice of Connectivity) by November 2021, and deploy your products to your end-users by 13 March 2022.

The combination of adaptor and PKI technology will not be supported to access Medicare Online, ECLIPSE, DVA, AIR, PBS Online and Aged Care Online after 13 March 2022.

For more information

For more information about the OCA renewal, email [email protected].

For technical assistance, call Services Australia’s Online Technical Support team on 1300 550 115.

---

NASH SHA-1 & SHA-2 upgrade – Installing the SHA-2 Chain of Trust

Date: Tuesday, April 20, 2021

Services Australia will go-live with SHA-2 NASH PKI Certificates in September 2021, which means that some of your customers may start using NASH SHA-2 PKI Certificates from September 2021.

If your customers have not installed the SHA-2 Chain of Trust prior to that date, they may encounter errors when:

• sending and receiving Secure Messages
• accessing My Health Record Documents

The requirements to install the SHA-2 Chain of Trust prior to SHA-2 NASH PKI Certificate go-live applies to all users irrespective of the NASH Certificates SHA level (i.e. Certificate Policy) that they hold.

The SHA-2 Organisation Certification Authority (OCA) and Root Certificate Authority (RCA) Certificates can be downloaded from: Certificates Australia

To make things easier for your customers please consider:

• Including the SHA-2 OCA and RCA Certificates in any Software product rollout/release plan

Please note: NASH SHA-1 PKI Certificates will no longer be supported as of 13 March 2022. You will progressively hear more about what you need to do for this change through government communications throughout this year. For more information on key dates, FAQs, support and technical requirements, please visit our recently updated Developer Centre webpages.

Should there be any concerns or questions with the above, or should you require additional assistance or information, please contact the Agency via [email protected].

---

Changes coming for National Authentication Service for Health (NASH) PKI Certificates and the Healthcare Identifiers (HI) Service

Date: Wednesday, December 16, 2020

Make sure your workplan includes:  

- transition from SHA-1 NASH PKI certificates to SHA-2 NASH PKI certificates 
- using a NASH PKI Certificate to access the HI Service

You have less than 16 months until the Organisation Certificate Authority (OCA) that supports both NASH SHA-1 PKI organisation certificates (1.10.1.1 for  Healthcare provider organisations & 1.12.1.1 for supporting organisations) and Medicare SHA-1 PKI organisation certificates (1.6.1.2) expires.

From 13 March 2022 software products participating in:

• My Health Record;
• Healthcare Identifiers (HI) Service;
• Electronic Prescribing; and
• Secure Messaging

will require a NASH SHA-2 PKI certificate (1.20.1.1 for Healthcare provider organisations & 1.22.1.1 for supporting organisations)

What you should do now:

• Request a test SHA-2 NASH PKI organisation certificate and test to ensure your software product compatible with both SHA-1 and SHA-2.
• Test HI Service can be accessed using a NASH PKI Organisation certificate (SHA-1 and SHA-2).
• Advise your customers these changes are coming and deadline of March 2022.

What you should start planning:

• Installation and rollout of all SHA-1 and SHA-2 Chain of Trusts (Root Certificate Authority (CA) and Organisation Certificate Authority (OCA)) to support the transition period. Note: ADHA is working with Services Australia to streamline this.
• Advise your customers they will be able to request and download SHA-2 NASH PKI certificates via HPOS towards the end of 2021. Note: More information on this to come.

Important Information:

• The SHA-1 algorithm used to generate a digest within the XML signature will not transition to SHA-2. This means that the Australian Technical Standard - ATS5821-2010 eHealth XML Secure payload profiles still applies in its current form.
• All SHA-1 NASH PKI certificates will expire when the SHA-1 OCA expires on 13 March 2022.
• HI Service Notice of Connection and HI conformance testing for software products already connected to the HI Service is not required.

Contact matrix for support:

Services Australia	Action	Contact
Test Certificate	To request a Test NASH SHA-2 certificate	[email protected]
Technical Support	For technical support on using the Software Vendor Test (SVT) environment or Test NASH SHA-2 certificate	[email protected]
Production NASH SHA-2	To request a Production NASH SHA-2 certificate	In late 2021 this will be available via HPOS for Healthcare Organisations.

For support on developing or integrating your software products for MHR or HI Service.

Phone : 1300 901 001 Email: [email protected]

---

Notice of changes

Changes are coming for National Authentication Service for Health (NASH) PKI Certificates and the Healthcare Identifiers (HI) Service. Make sure your work plan includes: Transition from SHA-1 to SHA-2 NASH PKI certificates and using a NASH PKI Certificate to access the HI Service.

Learn more

Services Australia advice: Service Australia’s future use of PKI Certificates 

Services Australia acknowledges that some healthcare organisations require significant testing to ensure daily operations are not adversely impacted in the transition from PKI to PRODA.

For this reason, we are renewing the SHA-1 OCA Public Key Infrastructure (PKI) certificate and Medicare PKI certificates to make sure there is ongoing business continuity. National Authentication Services for Health (NASH) PKI certificates will also be available for renewal. You won’t be able to use your Medicare PKI Certificates to access our digital health and aged care channels after 13 March 2022, but other functions will still be available. You must continue your development of web services and ensure your software products are deployed to your customers by 13 March 2022.

Services Australia will commence the OCA renewal towards the end of April 2021 and be complete by mid May 2021.

If you have any questions or concerns, please contact Online Technical Support on 1300 550 115.

Services Australia advice: Canberra Day Public Holiday – OTS and Developer Support availability 

Services Australia advises that there will be a change in the availability of the Developer Support and Online Technical Support (OTS) teams over the upcoming Canberra Day public holiday on Monday 8 March 2021.

•        The OTS Helpdesk will be available during business hours: 08:30 – 17:00 (AEDT).
•        The Developer Support and OTS Product Integration teams will not be available.  

Should you have any queries regarding this advice please contact the Developer Support team at [email protected].