ECA-External Certificate Authority

Frequently Asked Questions

Requesting a Certificate

How do I get an ECA Identity and Encryption Certificate?

Take a look at the I get an error message saying that a “1B6” error has occurred?

This occurs when using Microsoft Internet Explorer on a computer with Microsoft Windows Vista or Windows 7 operating systems (and sometimes when using Microsoft Internet Explorer 7.x or 8.x on a computer with Microsoft Windows XP operating system). This error message means that no certificate keys were generated by the Microsoft operating system. This does NOT mean that ORC certificates do not work in Internet Explorer (ORC certificates DO work in Internet Explorer), it means that the Microsoft operating system on your computer will not generate keys. Key generation is the first step in the creation of a digital certificate, but Microsoft is no longer supporting common procedures for generating certificate keys.

We recommend that you download and install Mozilla Firefox (available at: http://www.mozilla.org/). Mozilla based web browsers (Netscape and Firefox) have the capability of generating keys on their own; they do not rely on the computer’s operation system for this. (FYI – this is why Firefox can generate keys on an Apple Macintosh computer.) You can make your requests and then import the issued certificates via Mozilla Firefox. You then make back-up files of the certificates (something you want to do regardless of what browser you use) and import the certificates into Internet Explorer.

Why am I getting a Security Alert message that there is a problem with the ORC site’s certificate?

You have not properly trusted the ORC ECA Certificate Authority.

Go to the ORC ECA Instructions page and find the instructions for your browser to Trust the ORC ECA Certificate Authority

I am being asked for a password but haven’t created one yet.

This should only occur if you are using Netscape or Firefox. These browsers use something called a “Master Password” to protect the certificate store (also called the software security device and the internal cryptographic device). This Master Password also protects the “Password Manager” function in these browsers. So, if you are using the Password Manager feature, you may have set the Master Password at some previous time. If you can not recall (or can not discover) the correct Master Password, then you should ‘reset’ the Master Password BEFORE you make and submit certificate requests.

WARNING: If you reset the Master Password, all information protected by that Master Password (the Password Manager and the certificate store) will be deleted. So this will destroy any certificates currently protected by the Master Password that you are resetting.

Can I get certificates on my Apple Macintosh computer?

Yes, but not we do not recommend that you use Safari; you should install a different browser.

We recommend that you download and install Mozilla Firefox (available at: http://www.mozilla.org/). Mozilla based web browsers (Netscape and Firefox) have the capability of generating keys on their own; they do not rely on the computer’s operation system for this. You might want to consider downloading/installing Thunderbird (the email client companion to Firefox) if you need to use digitally signed/encrypted email.

I get an error message that the CA cannot process my request.

The CA requires specific syntax for certificate requests. Most of this syntax is generated or checked by the form. However, in some cases, the input form allows incorrect syntax. Request the certificate again and make sure that all fields are filled in, and that there are no commas in the entries. It is better to start from http://eca.orc.com and “order certificates” instead of using the back button because sometimes the browser does not correctly resubmit data from the form.\

Accepting a Certificate

I am copying the URL from the email message, but I keep getting an error message.

The URL should like:
“https://server.eca.orc.com/cms?op=displayBySerial&serialNumber=XX”
or

“https://server.eca.orc.com/cms?op=displayBySerial&serialNumber=XX:XX”

where server is the name of the CA that the certificate was requested from, and the Xs are hexadecimal numbers. Generally, the problem is that the end of this URL is chopped off. Have the subscriber key the end of the URL into their browser.

When I try to download my issued certificate, I get an “Accept in PKCS7” error message.

If you are getting the “Error in accept PKCS7” message that means that the Microsoft OS/Internet Explorer can not find the private key(s) for those certificates. (Please note that this does not necessarily mean that the private key(s) are not there, just that the MS system can not find them.)

This happens because: 

  • the request was done under a different log-in profile (you are logged on under a different username/password) than when the request was made
  • or the request was made with a different browser (for example, Firefox)
  • or the request was made on a different computer than the one you are trying to import it on
  • or something was done to the machine (like an update to the operating system – a Windows update, profile change, computer re-imaged, etc.)

You will only be able to import the issued certificate onto the same computer, same log-in profile, and using the same web browser as when you made the on-line request. (i.e. as when you got the “Print this form” web page).

I get the error message that there is no matching private key.

This is the Mozilla (Netscape/Firefox) equivalent to the Microsoft “Accept in PKCS7” error message discussed above.

    This happens because: 

  • the request was done under a different log-in profile (you are logged on under a different username/password) than when the request was made
  • or the request was made with a different browser (for example, Internet Explorer)
  • or the request was made on a different computer than the one you are trying to import it on
  • or something was done to the machine (like an update to the operating system – a Windows update, profile change, computer re-imaged, etc.)

You will only be able to import the issued certificate onto the same computer, same log-in profile, and using the same web browser as when you made the on-line request. (i.e. as when you got the ?Print this form? web page).

I am using a different workstation.

If you have switched workstations, or are trying to accept the certificate from home, you will be unable to retrieve the certificate. Go back to the original workstation that was used to request the certificate. Once the certificate has been accepted, it can be exported and imported into other workstations.

My workstation has been upgraded since the request was made.

If your workstation has been upgraded (ie new operating system or new version of Netscape), the private key that goes with the certificate may have been inadvertently deleted. If so, it cannot be recovered. You will have to delete the certificate database file, request a new certificate, and request that the current certificate be revoked.

My password is not working.

Passwords are case sensitive.

If the subscriber cannot remember his or her password, it cannot be recovered. He or she will have to request a new certificate, and request that the current certificate be revoked.

Using a Certificate

My password is not working.

Passwords are case sensitive.

If the subscriber cannot remember his or her password, it cannot be recovered. He or she will have to request a new certificate, and request that the current certificate be revoked.

How do I take my certificate to a new workstation?

You can export your certificate to a floppy disk and import it on another workstation. See the subscriber instructions for exporting and importing certificates.

I have a certificate, but I cannot access the application.

If a certificate is rejected from the application, either the application requires additional access approval beyond holding an ECA PKI certificate, or the certificate is not properly loaded into the directory that the application is using. Check the directory listing directly. If the certificate is not there, contact ORC for assistance. If the certificate is there, contact the application technical support for assistance.