When attempting to register, login, or authenticate a token with a CAC users may receive the following error:
x
Error: The certificate validation trust failed ...
Possible Causes:
- The certificate is unreadable or valicert is unavailable
- The certificate used is invalid
- The certification path on the certificate contains invalid entries
- The certificate used is not on the trusted issuer list
Possible Solutions:
-
Check Certificates in Internet Options
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- Click the Content Tab
- Under Certificates
- Click Clear SSL State
- Click OK on the confirmation that the cache was cleared
- Click Certificates
- Under the Personal Tab
- Identify the listed certificates
- Typical CAC users will have three listed certificates
- Under Issued To should be the users name followed by the dodID number
- Under Issued by you should typically see one or two Email certificates, and one
NON-Email certificate.
- The NON-Email [ALL] Certificate is the one used by PIEE
- If Invalid certificates are listed in the Republish Certificate(s)
- Select the NON-Email Certificate
- Click View
- Under the General Tab
- Check the Valid from dates to ensure the certificate is not
expired
- Under the Certification Path
- Check the certification path is valid
- The Certification Path is typically three levels deep
- The path should look like this:
- DoD Root CA 3
- DOD CA -XX [where XX = the CA issuing number]
- Lastname.first.I.xxxxxxxxxxxxxxxxx ....
- If the Certification Path is invalid:
- If the certification path is correct
- Verify the certificate is a valid X509 Certificate for Digital Signing and
Non-Repudiation. Non-repudiation is only required for signing documents
in the PIEE.
- Click the Details tab and scroll to Key Usage
- Verify that both Digital Signature and Non-Repudiation
are displayed
- If the certificate is missing Non-Repudiation the
certificate will need to be re-issued.
- Click OK on the Certificate dialog.
- Click Close on the Certificates dialog
- Click OK on the Internet Options dialog
-
Correct Certification Path
Correcting the certification path can resolve errors with certificates not being found, readable, or
verifiable.
This may require local administrative rights
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- Click the Content Tab
- Click Certificates
- Under the Personal Tab, select the NON-Email Certificate
- Click View
- Under the Certification Path
- Check the certification path is valid
- The Certification Path typically three levels deep
- The path should look like this:
- DoD Root CA 3
- DOD CA -XX [where XX = the CA issuing number]
- Lastname.first.I.xxxxxxxxxxxxxxxxx ....
- If the Certification Path is invalid:
- Make note of each certificate listed above DoD Root CA-3
- E.G. DoD Interoperability
- Click OK on the Certificate window
- On the Certificates window
- Click on the Intermediate Certification Authorities Tab
- Remove all the certificates that were listed above DoD Root CA-3
- E.G. DoD Interoperability
- Click on the Trusted Root Certification Authorities Tab
- Remove all the certificates that were listed above DoD Root CA-3
- E.G. DoD Interoperability
- Click Close on the Certificates dialog
- Click OK on Internet Options
-
Republish Certificate(s)
Removing and republishing user certificates can correct issues with certificates not being available,
readable, or verifiable.
Before proceeding notify the user that some of the following steps may require a local system administrator.
These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is
not available do not proceed.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- Click the Content Tab
- Under Certificates
- Click Clear SSL State
- Click OK on the confirmation that the cache was cleared
- Click Certificates
- Under the Personal Tab
- Remove all listed certificates [NOTE: Email certificates can be left]
- Once all certificate are removed click close and OK on Internet Options
- Open ActivClient User Console
- Start > All Programs > ActivIdentity > ActivClient
- Select User Console
- Click Tools
- Select Advanced
- Click "Forget state for all cards" – or – Reset Optimization Cache (this removes
and republishes in one step)
- After confirmation, return to the Tools > Advanced menu
- Click "Make Certificates Available to Windows"
- The CAC certificates should now be republished and available to use.
NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or -
Reset Optimization Cache (this removes and republishes in one step)
When attempting to register, login, or authenticate a token with a CAC users may receive the following error:
x
Error: A situation has occurred where your 'Session ID' has been assigned twice. In order to continue to
use the application it is required for you to CLOSE YOUR BROWSER. Once you have closed and reopened your
browser, you will be able to continue with the Procurement Integrated Enterprise Environment. If you are using the
IE 7 browser or a greater version of IE browser then close the whole browser, do not attempt to login on
multiple tabs.
Possible Causes:
- Closing your browser window without logging out of PIEE
- PIEE open on another tab.
- Browser unexpectedly crashed and auto-recovered.
Possible Solutions:
-
Clear Browser Cache
Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues.
Some users may not have access to delete their own temporary internet files; in that case refer the user to
a system administrator.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- On the General Tab
- Under Browsing History click Delete
- Uncheck "Preserve Favorites Website Data" [if available]
- Check "Temporary Internet Files" [if unchecked]
- Check "Cookies" [if unchecked]
- Click Delete
-
Adjust IE Settings
Adjusting the Internet Explorer Browser settings can solve many common problems. Not all of the following
settings will be available to all users depending on local security policy.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- On the General Tab
- Clear the Browser Cache
- Under Browsing History click Delete
- Uncheck "Preserve Favorites Website Data" [if available]
- Check "Temporary Internet Files" [if unchecked]
- Check "Cookies" [if unchecked]
- Click Delete
- Click Settings under Browsing History
- Under Check for newer versions of stored pages
- Select "Every time I visit the webpage"
- Click OK
- Click Settings under Tabs
- Under When a Pop-up is encountered
- Select "Let Internet Explorer decide …"
- Click OK
- Click Security Tab
- Select Trusted Sites
- Click Sites
- If unlisted Add:
- https://*.eb.mil
- https://*.disa.mil
- Click Close
- Security level for Trusted sites should be Medium or lower
- If checked, uncheck Enable Protected Mode
- Click Privacy Tab
- If Pop-up Blocker is enabled [if disabled/unchecked continue to Content]
- Click Settings
- Add the following sites if they are not listed
- https://*.eb.mil
- https://*.disa.mil
- Click the Content Tab
- Under Certificates
- Click Clear SSL State
- Click OK on the confirmation that the cache was cleared
- Click on the Advanced Tab
- Under Browsing
- Check [if unchecked] "Show Friendly HTTP error messages"
- Under Security
- Uncheck "Use SSL2.0"
- Check "Use SSL 3.0"
- Check "Use TLS 1.0"
- Uncheck "Use TLS 1.1"
- Uncheck "Use TLS 1.2"
- Additional Steps:
- [If the user is a CAC user: Check Certificates in Internet Options ]
- Check IE Compatibility View
- If problems persist
- From the Advanced tab under Reset Internet Explorer settings
- Click Reset
- NOTE: This will reset any custom settings the user may require. This should only be done
if the end user understands this and the browser is otherwise unusable.
When attempting to login or register with a CAC users may receive errors related to the OCSP.
Most OCSP errors during CAC login are caused by network outages, OCSP server misconfiguration or downtime,
and/or Certificate Revocation Lists are not updated.
The Certificate Revocation Lists (CRL) are cached for the PIEE server certificate and applet code signing
certificate as this is handled on the Operating System / Browser level.
Verification
- Has the certificate login ever worked with this certificate?
- Are other users receiving the same error?
- Is OCSP available?
Possible Solutions:
If CAC login has worked in the past and there are no known or reported issues connecting to the OCSP
-
Clear Browser Cache
Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues.
Some users may not have access to delete their own temporary internet files; in that case refer the user to
a system administrator.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- On the General Tab
- Under Browsing History click Delete
- Uncheck "Preserve Favorites Website Data" [if available]
- Check "Temporary Internet Files" [if unchecked]
- Check "Cookies" [if unchecked]
- Click Delete
-
To delete OCSP and/or CRL cache from your Windows system:
- Go to Start Menu > Run
- Type cmd and press Enter
- In the command promp, type the following command and press Enter to execute:
- certutil -urlcache * delete
- Reboot your computer
- Obtain a copy of the certificate and contact the service desk
If CAC login has NEVER worked
- Obtain a copy of the certificate and contact the service desk
When attempting to register, login, or authenticate a token with a CAC users may receive the following error:
x
Error: Next update value not found in the CRL list
Possible Solutions:
-
Clear Browser Cache
Clearing the browser Temporary Internet File Cache can resolve many common browser and performance issues.
Some users may not have access to delete their own temporary internet files; in that case refer the user to
a system administrator.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- On the General Tab
- Under Browsing History click Delete
- Uncheck "Preserve Favorites Website Data" [if available]
- Check "Temporary Internet Files" [if unchecked]
- Check "Cookies" [if unchecked]
- Click Delete
-
Check Certificates in Internet Options
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- Click the Content Tab
- Under Certificates
- Click Clear SSL State
- Click OK on the confirmation that the cache was cleared
- Click Certificates
- Under the Personal Tab
- Identify the listed certificates
- Typical CAC users will have three listed certificates
- Under Issued To should be the users name followed by the dodID number
- Under Issued by you should typically see one or two Email certificates, and one
NON-Email certificate.
- The NON-Email [ALL] Certificate is the one used by PIEE
- If Invalid certificates are listed in the Republish Certificate(s)
- Select the NON-Email Certificate
- Click View
- Under the General Tab
- Check the Valid from dates to ensure the certificate is not
expired
- Under the Certification Path
- Check the certification path is valid
- The Certification Path is typically three levels deep
- The path should look like this:
- DoD Root CA 3
- DOD CA -XX [where XX = the CA issuing number]
- Lastname.first.I.xxxxxxxxxxxxxxxxx ....
- If the Certification Path is invalid:
- If the certification path is correct
- Verify the certificate is a valid X509 Certificate for Digital Signing and
Non-Repudiation. Non-repudiation is only required for signing documents
in the PIEE.
- Click the Details tab and scroll to Key Usage
- Verify that both Digital Signature and Non-Repudiation
are displayed
- If the certificate is missing Non-Repudiation the
certificate will need to be re-issued.
- Click OK on the Certificate dialog.
- Click Close on the Certificates dialog
- Click OK on the Internet Options dialog
-
Correct Certification Path
Correcting the certification path can resolve errors with certificates not being found, readable, or
verifiable.
This may require local administrative rights
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- Click the Content Tab
- Click Certificates
- Under the Personal Tab, select the NON-Email Certificate
- Click View
- Under the Certification Path
- Check the certification path is valid
- The Certification Path typically three levels deep
- The path should look like this:
- DoD Root CA 3
- DOD CA -XX [where XX = the CA issuing number]
- Lastname.first.I.xxxxxxxxxxxxxxxxx ....
- If the Certification Path is invalid:
- Make note of each certificate listed above DoD Root CA-3
- E.G. DoD Interoperability
- Click OK on the Certificate window
- On the Certificates window
- Click on the Intermediate Certification Authorities Tab
- Remove all the certificates that were listed above DoD Root CA-3
- E.G. DoD Interoperability
- Click on the Trusted Root Certification Authorities Tab
- Remove all the certificates that were listed above DoD Root CA-3
- E.G. DoD Interoperability
- Click Close on the Certificates dialog
- Click OK on Internet Options
-
Republish Certificate(s)
Removing and republishing user certificates can correct issues with certificates not being available,
readable, or verifiable.
Before proceeding notify the user that some of the following steps may require a local system administrator.
These steps cannot be completed without ActivClient and access to the ActivClient User Console. If that is
not available do not proceed.
- From an open Internet Explorer window click Tools and select Internet Options or from the Control Panel
click on Internet Options
- Click the Content Tab
- Under Certificates
- Click Clear SSL State
- Click OK on the confirmation that the cache was cleared
- Click Certificates
- Under the Personal Tab
- Remove all listed certificates [NOTE: Email certificates can be left]
- Once all certificate are removed click close and OK on Internet Options
- Open ActivClient User Console
- Start > All Programs > ActivIdentity > ActivClient
- Select User Console
- Click Tools
- Select Advanced
- Click "Forget state for all cards" – or – Reset Optimization Cache (this removes
and republishes in one step)
- After confirmation, return to the Tools > Advanced menu
- Click "Make Certificates Available to Windows"
- The CAC certificates should now be republished and available to use.
NOTE: the options to forget state and make certificates available are not in ActivClient version 8 - or -
Reset Optimization Cache (this removes and republishes in one step)
-
To delete OCSP and/or CRL cache from your Windows system:
- Go to Start Menu > Run
- Type cmd and press Enter
- In the command promp, type the following command and press Enter to execute:
- certutil -urlcache * delete
- Reboot your computer