D1 - Valid address-bound certificate discovery in DNS

[Andrew Cookson]

The Direct address for the D1 test case does not have a valid certificate. Below is a screenshot of the results when using the Direct Certificate Discovery Tool to verify the certificate for d...@domain1.dcdt30.healthit.gov. I ran this after I was unable to send a message to the address from my Direct address.

 

 

Regards,

 

Andrew J. Cookson

VP – Customer Success and Implementation

 

 

o:  703.884.2904 
acoo...@secureexsolutions.com

Direct – acoo...@directaddress.net
www.secureexsolutions.com

 

 

Disclaimer: The information contained in this transmission and any attachments may contain privileged and confidential information including patient information protected by federal and state privacy laws. This transmission is sent for the sole use of the intended recipient. If you are not the intended recipient, please immediately (1) notify the sender via reply email; (2) do not open or read the message or any attachments; and (3) delete this message and any attachments. The review, dissemination, distribution, or duplication of this transmission by anyone other than the intended recipient is strictly prohibited. 

[Kim Poletti]

Hi - Thanks for reaching out. This has been logged for review and a member of the team will reach out in the near future.

[Duke Luevano]

Good morning,

Are there any updates on this issue? We have a customer trying to prepare for CEHRT and this is delaying their preparation.

Thank you,

Shaina

[Duke Luevano]

Hello,

Checking in on the status of this issue.

Thank you,

Shaina

[Duke Luevano]

Good morning,

Any updates on this so that our customer can continue with their prep  for testing.

Thank you,

Shaina

[Arslan Iqbal]

Internal reference: SITE-4561

[James Spillman]

Address and domain bound certs have been updated. If you haven't already done so reinstall the trust anchor and try the test again.

[Andrew Cookson]

Can you confirm where the trust anchor can be found? The one available for download on the site.healthit.gov/direct website under Trust Anchor is not the issuer of address bound certificate for the D1 test that is part of 170.315(h)(1) certification. The certificate for d...@domain1.dcdt31.healthit.gov is issued by dcdt31.healthit.gov_ca_root certificate, not the intermediate as I would have expected.  

[Sai Valluripalli]

It can be downloaded from here under Doscovery Directions, step 1.

https://site.healthit.gov/direct/dcdt

--
You received this message because you are subscribed to the Google Groups "Edge Test Tool (ETT)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to edge-test-too...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/ee1bcd6f-dd71-4f08-b3f8-30198bafaa83n%40googlegroups.com.

[Andrew Cookson]

The Trust Anchor available for download does not appear to be for the address in the test. The Authority Key Identifier of the discoverable Direct Certificate for d...@domain1.dcdt31.healthit.gov does not match the subject key identifier of the trust anchor as I would expect. 

[Sai Valluripalli]

Hi,

This is the correct anchor. 

Have you tried sending an email?

To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/e8de3585-98da-495c-9c79-26f42f3676cfn%40googlegroups.com.

[Andrew Cookson]

Yes, after installing the trust anchor, I attempted to send a message but received an exception that the address was not trusted. I had my team confirm it was installed correctly and tried again with the same result. Can you comment on the discrepancy between the Authority Key and Subject Key identifiers?  

[Duke Luevano]

Sai,

Checking in on this. We are still stalled and unable to test. Please provide feedback to Andrew's question.

Thank you,

Shaina

[Duke Luevano]

Hello,

Are there any updates on this ticket?

Thank you,

Shaina

[Sai Valluripalli]

Hi Andrew,

After reviewing the details, you are trying to send message to :  d...@domain1.dcdt30.healthit.gov, try to send to  d...@domain1.dcdt31.healthit.gov

Let me know how it goes.

Thank you,

Sai

[Andrew Cookson]

Sai,

I have tried both but still receive the same issue. Can you please respond to my question about the mismatch between the Subject Key Identifier of the Anchor and the Authority Key Identifier of the email certificate? I have not been able to find a downloadable Anchor certificate on the website with a Subject Key Identifier that matches the Authority Key Identifier listed in the discoverable certificates for each test address. 

- Andrew

--
You received this message because you are subscribed to a topic in the Google Groups "Edge Test Tool (ETT)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/edge-test-tool/5ZJ0p9KXQdA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to edge-test-too...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/2ba61ef2-816c-48f8-95e6-d13c145c0c24n%40googlegroups.com.

[Duke Luevano]

Sai and team, 

Please provide an update. Our customer is preparing for testing in May and this is holding up their preparations.

Thank you,

Shaina

[James Spillman]

The D1 test involves several certs, of which only 1 is valid. Can you check that your system is going through all the available certs for the address and using the valid one?

https://site.healthit.gov/direct/dcdt
Under "Discover DCDT's Certificates" select the D1 test case, and it will list all the discoverable certs. After evaluating all the available certs, your system should use the D1_valA cert.

There are 2 ways that the DCDT tests are currently misconfigured, but neither should impact your ability to complete this test:
1. The certs should be listed in the ui as "*.dcdt31.healthit.gov" rather than "*.dcdt30.healthit.gov". The actual certs have the correct domain.

2. At least one of the invalid certs is missing from the "x.dcdt31.healthit.gov" domains.

Let us know if you're still having trouble after checking this.

-James

[Andrew Cookson]

James,

I don't believe that to be the issue here. Would you be willing respond to my question about the mismatch between the Subject Key Identifier of the Anchor and the Authority Key Identifier of the valid email certificate? Please let me know if we can schedule a time to meet because we haven't gotten anywhere in over a month of commenting on this group conversation. 

Regards,

Andrew

[Duke Luevano]

Hey James and Sai,

Can we please get assistance on this ticket/time scheduled with your team? Andrew and I are working together with our customers that are looking to complete CEHRT this month and this is standing in their way to schedule their tests.

Thank you,

Shaina

[James Spillman]

Are you available tomorrow at 1PM ET? I've sent you each an invite to a teams meeting.

[Andrew Cookson]

I would prefer 3 pm ET if possible. If not, I will make 1pm work. 

[Duke Luevano]

Hello, James,

Are there any updates on this?

Thank you,

Shaina

[Duke Luevano]

Hey James,

Any update on this? We have a partner that said Drummond has offered to connect directly to them to complete this testing. Please provide an update as we would like to not have to have them take an alternate route to complete their testing.

Thank you,

Shaina

[Duke Luevano]

Hey James,

Checking in for any updates to provide to our partners.

Thank you,

Shaina

[James Spillman]

We are currently investigating this scenario to determine whether the certificate used in this test reflects a valid conformance case.

We’ll provide an update once our investigation is complete and any required changes to the test or guidance are finalized.

[Duke Luevano]

Hey James,

Are there any ETAs on when this might be complete? We have partners that are relying on this being available as part of their CEHRT testing and are looking to test by the end of this month. We will need to let them know if this is not possible as they are looking to us for answers.

Thank you,

Shaina

[Shaina Luevano]

Good morning!

Are there any updates on this issue?

Thank you,

Shaina

[Shaina Luevano]

Good morning! 

Checking in for an update on this issue.

Thank you,

Shaina

[Shaina Luevano]

Good afternoon,

Are there any updates on this?

Thank you,

Shaina

[Arslan Iqbal]

We're continuing to work on this and will share an update as soon as possible. Thanks for your patience.

-SITE/ETT team

[Shaina Luevano]

Hello ETT support,

Are there any updates on this issue?

Thank you,

Shaina

[Arslan Iqbal]

We're continuing to work on this and will share an update as soon as possible. Thanks for your patience.

-SITE/ETT team

[James Spillman]

We have a fix for this issue and are currently testing it.

[Shaina Luevano]

Great news-thank you!

[Shaina Luevano]

Hey James,

Any updates on testing?

Thank you,

Shaina

[Shaina Luevano]

Hey James,

Are there any updates on this ticket?

Thank you,

Shaina

[James Spillman]

A new version of DCDT has been deployed that includes a fix for the identifier mismatch. DNS entries have not been updated yet, but LDAP tests should now have matching identifiers between leaf certs and the trust anchor. Can you install the new trust anchor and try the LDAP tests, such as 3 and 4?

[James Spillman]

DNS certificates have been updates, can you try the tests again now?

[Andrew Cookson]

Thank you, I have confirmed the proper relationship exists between the new Trust Anchor and the D1/D2 Direct certificates. We are in the process of installing the new Trust Anchor and will test further after that has been completed. However, I am still unable to discover the certificates for the D3 and D4 tests. Please advise as it does not appear that the LDAP records are in place.  

[Shaina Luevano]

Good morning, James,

Are there any updates on this?

Thank you,

Shaina

[Souvanik Sarkar]

Can anyone give me an idea how Direct Project H1 testing is done in real life?

--
You received this message because you are subscribed to the Google Groups "Edge Test Tool (ETT)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to edge-test-too...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/a7d1d50a-9e61-4a97-82ae-83aeeeb860f5n%40googlegroups.com.

--

Regards
Souvanik

[nagesh.bashyam (Dragon)]

Andrew

can you please retest the D3 and D4 test cases. If it is not working for you, can you please provide the steps you are taking to test.

It should be working based on our testing. 

Thanks

Dragon 

[Nagesh Bashyam]

Andrew

 

Which particular certificate are you trying to discover ? (LDAP or DNS ? )

Can you provide the domain name and the dig command you are using.

 

Thanks

Dragon

 

From: Andrew Cookson <andrew....@gmail.com>
Date: Monday, July 14, 2025 at 2:47 PM
To: Nagesh Bashyam <nagesh....@drajer.com>
Cc: Edge Test Tool (ETT) <edge-te...@googlegroups.com>
Subject: Re: D1 - Valid address-bound certificate discovery in DNS

Dragon,

 

I am able to pull the certificates when using the discovery tool on the healthit.gov website but still cannot pull it using other Certificate discovery tools or online dig tools. Can you confirm the necessary records are publicly available?

 

--

You received this message because you are subscribed to a topic in the Google Groups "Edge Test Tool (ETT)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/edge-test-tool/5ZJ0p9KXQdA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to edge-test-too...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/5b2bb20b-af87-4d3f-b4f5-5f2e821c1bf4n%40googlegroups.com.

 

--

Andrew J. Cookson
andrew....@gmail.com
908-309-8572 (cell)

[Andrew Cookson]

Dragon,

I am able to pull the certificates when using the discovery tool on the healthit.gov website but still cannot pull it using other Certificate discovery tools or online dig tools. Can you confirm the necessary records are publicly available?

On Mon, Jul 14, 2025 at 7:38 AM nagesh.bashyam (Dragon) <nagesh....@drajer.com> wrote:

--
You received this message because you are subscribed to a topic in the Google Groups "Edge Test Tool (ETT)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/edge-test-tool/5ZJ0p9KXQdA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to edge-test-too...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/5b2bb20b-af87-4d3f-b4f5-5f2e821c1bf4n%40googlegroups.com.

[Nagesh Bashyam]

Hello

 

For determining how to test with the Direct tools, please refer to the Direct Test Procedure.(h1) and (h2).

https://www.healthit.gov/topic/certification-ehrs/onc-health-it-certification-program-test-method

 

I am not sure what exactly you are asking for, so I am providing the best answer that we can.  

 

 

Thanks

Dragon

 

From: edge-te...@googlegroups.com <edge-te...@googlegroups.com> on behalf of Shaina Luevano <ssvall...@gmail.com>
Date: Tuesday, July 15, 2025 at 11:18 AM
To: Edge Test Tool (ETT) <edge-te...@googlegroups.com>
Subject: Re: D1 - Valid address-bound certificate discovery in DNS

Hey Souvanik,

 

Sorry, are you part of the ETT support team?

 

James,

 

Are there any updates on this for us? Our partner has been waiting for months and has been unable to do anything. We would really like to get them across the finish line to allow them to finish their certification.

 

Thank you,

 

Shaina

To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/5093ad48-b2e7-4108-af64-f53ca9caae7dn%40googlegroups.com.

[Nagesh Bashyam]

Andrew

 

The specific certificates are available through LDAP.

You can verify them using the following query:

 

ldapsearch -x -H ldap://ldap.dcdt31.healthit.gov:10389 -b "" "(mail=d...@domain2.dcdt31.healthit.gov)" cn mail userCertificate

 

Please let me know how you are doing the LDAP Query? Is it similar or different ?

 

Thanks

Dragon

 

From: Andrew Cookson <andrew....@gmail.com>
Date: Monday, July 14, 2025 at 2:47 

PM

To: Nagesh Bashyam <nagesh....@drajer.com>
Cc: Edge Test Tool (ETT) <edge-te...@googlegroups.com>
Subject: Re: D1 - Valid address-bound certificate discovery in DNS

[Souvanik Sarkar]

No Shaina

Regards
Souvanik

On Tue, 15 Jul 2025 at 8:48 PM, Shaina Luevano <ssvall...@gmail.com> wrote:

Hey Souvanik,

Sorry, are you part of the ETT support team?

James,

Are there any updates on this for us? Our partner has been waiting for months and has been unable to do anything. We would really like to get them across the finish line to allow them to finish their certification.

Thank you,

Shaina

On Tuesday, July 8, 2025 at 12:10:15 PM UTC-6 Souvanik Sarkar wrote:

To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/5093ad48-b2e7-4108-af64-f53ca9caae7dn%40googlegroups.com.

[Souvanik Sarkar]

While I am trying to test DCDT I am getting this error

There was an error completing the request, Please try again later!

To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/PN0P287MB245389BC76A4510D17AEA53EEA57A%40PN0P287MB2453.INDP287.PROD.OUTLOOK.COM.

--

Regards
Souvanik

[Shaina Luevano]

Hey Nagesh,

Are there any updates on Andrew's question, please?

Thank you,

Shaina

[Andrew Cookson]

Dragon,

I have tried a few different things. 

First I tried to discover the certificate for the below addresses using the discovery tool available here: https://www.maxmddirect.com/direct/Certificate. In all cases I received a response that "No certificate found in public DNS or LDAP for address. No NS record found.

-  d...@domain2.dcdt31.healthit.gov

-  d...@domain2.dcdt30.healthit.gov

-  d...@domain2.dcdt31.healthit.gov

I then used a online dig tool, https://www.digwebinterface.com, to try an find the CERT record for the below values. In call cases, no cert record was returned. The first two attempts return a " connection timed out; no servers could be reached" response. The third did not timeout but not CERT record was returned. 

-  d3.domain2.dcdt31.healthit.gov

-  d3.domain2.dcdt30.healthit.gov

-  domain2.dcdt31.healthit.gov

[Nagesh Bashyam]

Shaina

 

We are exchanging emails with Andrew to see how it is being tested and what issues they are having.

If you are having specific issues, can you post a thread with the specific issues that you are encountering so that we can address them appropriately.

 

Thanks

Dragon

 

From: edge-te...@googlegroups.com <edge-te...@googlegroups.com> on behalf of Shaina Luevano <ssvall...@gmail.com>
Date: Friday, July 18, 2025 at 1:39 PM
To: Edge Test Tool (ETT) <edge-te...@googlegroups.com>
Subject: Re: D1 - Valid address-bound certificate discovery in DNS

--

You received this message because you are subscribed to the Google Groups "Edge Test Tool (ETT)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to edge-test-too...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/7380345d-6058-4e58-8123-302746541229n%40googlegroups.com.

[Nagesh Bashyam]

Andrew

 

Thanks for providing this information.

We are in communication with MaxMD on the tool to understand what the tool is doing. We have exchanged queries that are being exchanged (both successful and unsuccessful), so we will follow up with them on the topic.

 

As far as the other tool goes, (digwebinterface) that would be more for DNS lookups, which in the case of LDAP does not really help except to look up NS Records which succeeds. The CERT records are in LDAP and not in DNS.

 

We believe the Base DN search is yielding what needs to be extracted from DCDT and then the LDAP search on the DN’s yields the certificate according to the specifications unless something is mi-interpreted.

 

Any further insights into what exactly you are doing would be necessary for us to track down if there is an issue.

I have posted the commands that would be used typically in previous threads.

 

If needed we can jump on a call.

 

Please let us know.

 

Thanks

Dragon

 

 

 

--

You received this message because you are subscribed to the Google Groups "Edge Test Tool (ETT)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to edge-test-too...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/aee64dd1-c138-428b-be5b-ddf4787f8e3en%40googlegroups.com.

[Andrew Cookson]

Dragon,

Appreciate the feedback. I was working with my team to test again and noticed that the Trust Anchor was updated again and the Direct certificates renewed under this new anchor. Is there a specific reason this was done? Apologies if that detail was provide else where but I don't see it. 

Regards,

Andrew 

[Nagesh Bashyam]

Yes, the reason they were updated is because in the previous update the CRL URL was not providing the required data back to the requester which some of the HISP’s were validating and rejecting the certificates because they were not able to verify if the certificate was valid/invalid.

 

Hope it helps.

 

Thanks

Dragon

 

To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/9558b8fe-872a-4601-aec9-a01309258300n%40googlegroups.com.

[Donkiss Boss]

Licensed Pharmaceuticals And Psychedelics Online Store
Buy the best Pharmaceuticals And Psychedelics products in our website with safe and guaranteed shipping and delivery Worldwide
Check out our website below if interested in our products.
https://shorturl.at/BvDVf
https://shorturl.at/ITBJW
https://shorturl.at/wCGS4
https://shorturl.at/RnP0b
https://shorturl.at/GTr8Q