Services Australia are upgrading the security of NASH certificates and are transitioning from SHA-1 to SHA-2 certificates.   SHA-1 certificates will not be issued after 13 March 2022.  They will continue to work until July 2026 but will not be available for re-issue if problems are encountered.

NASH certificates expiring on or before 13 March 2022 can be renewed now.  Healthcare organisations can request and download a SHA-2 certificate in HPOS, only if their software is NASH SHA-2 ready.  Check if your software is SHA-2 ready using the software NASH SHA-2 Readiness Register. This should be done as early as possible to avoid connection problems beyond 13 March 2022.

If healthcare organisations need to renew their NASH certificate before 13 March 2022, and their software is not SHA-2 ready, they will receive a SHA-1 certificate with a 2-year expiry.

Additional Steps

All NASH certificates issued from 16 May 2021 are issued under the new Chain of Trust (COT). Some software products may require that additional OCA certificates are installed.  These may have already been installed by your software provider or they may request that you download and install these files.

As of 5 October 2021, NASH certificate downloads will be a single file which will include both the NASH certificate and the associated Chain of Trust certificate.  This change applies to both SHA-1 and SHA-2 certificates.

NASH certificates already downloaded between 16 May 2021 and 5 October 2021 may have required the associated SHA-1 and SHA-2 OCA certificates.  If these files were not previously downloaded, they can be accessed from the Verizon Certificates Australia website and key stores should be updated to the new certificate as soon as possible.

The additional files available are:

• For NASH SHA-1 certificate, download and install Sha-1 OCA Certificate
• For NASH SHA-2 certificate, download and install Sha-2 Root Certificate and Sha-2 OCA Certificate

Certificates can only be requested by the Organisation Maintenance Officer (OMO) logging on to HPOS.

Before you apply

1. You must first register your organisation into the Healthcare Identifiers Service. The Service assigns your organisation with an HPI-O.
2. You must have a PRODA account linked to HPOS.

This is a key step for registering for My Health Record.

NASH certificates have a two-year expiry date from the date of issue.  You should renew your certificate three months before it expires. You can check the expiry date in HPOS:

Note: In the past, you were automatically mailed a CD with the renewed certificate. With the new file download, this will no longer be the case. Instead, you will be sent a letter approximately 60 days before the certificate expires, notifying you of the expiry date, and directing you to download a new certificate through HPOS.

Here's how to both request or renew a NASH certificate:

1. Using PRODA, log in to HPOS. (see instructions for How to register for PRODA)
   Note:  You may be prompted to choose an Organisation to act on behalf of: Select -  No Organisation - Proceed as Individual only
   
2. From the main screen, navigate to My Programs > Healthcare Identifiers & My Health Record > Healthcare Identifiers - Manage existing Records > Organisation details > Certificates.
3. Click the 'Request a NASH PKI site certificate' link.

Select your Software Product and version* from the drop-down menu (This is a list of software versions ready to use SHA-2 NASH certificates).

If you are unsure of the version of the software you are using, generally, you can navigate to ‘Help’ > ‘About’.

*If you cannot see your software version in the list, choose the most appropriate reason from the “I cannot select a product because” drop down list:

4. Enter a mobile phone number.
5. If you are renewing your NASH certificate, tick the box "If you have an existing NASH certificate, please confirm that you agree for us to revoke it after 90 days".
6. Tick the Terms and Conditions box.
7. Click the Save changes button.
8. Click the Submit button.

You will then receive an SMS to the mobile number you entered. The message is: "Your NASH certificate for HPI-O XXXXXX is ready to download through HPOS. It is available for 30 days. Your PIC is XXXXXXXX. Do not reply by SMS".

PIC stands for Personal Identification Code. Write the PIC down in case it's needed for later.

Note: while any authorised user for the organisation will now be able to download the certificate in HPOS, it cannot be installed without the PIC that was sent by SMS. 

If you need a new PIC, contact the HPOS help desk on 1800 723 471.

1. Under the Action column, click the Download link to save the file to your computer. The name of the downloaded file will be ‘Site’.
2. Contact your IT support or software vendor to install the NASH certificate.

Notes:

• For security reasons, the NASH is only available to be downloaded for a maximum of 30 days.
• Contact the eBusiness Service Centre on 1800 700 199 for any questions relating to the progress of the NASH Certificate request.

If you've lost your NASH PKI certificate, you need to revoke it and order a new one.

1. Using PRODA, log in to HPOS.
2. From the main screen, navigate to My Programs > Healthcare Identifiers & My Health Record > Healthcare Identifiers - Manager existing Records.
3. If more than one organisation is listed, click the appropriate one.
4. Click Organisation details link.
5. Click the Certificates tab.
6. Under the Action column, click the Revoke link.
7. You will get a warning notification. To continue, read the notice and click the Ok button.
8. Fill out the form with your contact number and reason for revocation.
9. Tick the Terms and Conditions box.
10. Click the Save changes button.
11. Click the Submit button.

 The request is sent to the Department of Human Services support team for processing.

For further support contact digitalhealth@ourphn.org.au