ETT DCDT DNS servers returning previous generation of certificates
257 views
Skip to first unread message
lcm...@emrdirect.com
Mar 17, 2025, 11:46:45 AMMar 17
to Edge Test Tool (ETT)
It appears that the DCDT end entity certs were all reissued recently, but the ETT's DCDT DNS servers have not been updated and are still returning the previous generation of certs signed by the previous DCDT trust anchor.
Eric Mears
Mar 17, 2025, 12:24:38 PMMar 17
to Edge Test Tool (ETT)
I am seeing something similar.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = dcdt31.healthit.gov_ca_root
Validity
Not Before: Feb 4 15:37:51 2022 GMT
Not After : Feb 5 01:49:51 2032 GMT
Subject: emailAddress = d...@domain1.dcdt31.healthit.gov, CN = D1_valA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c7:3d:62:68:80:0a:ba:cc:25:35:cd:4e:9a:af:
81:80:bd:16:fa:6e:30:93:4b:39:b5:f4:4f:7c:13:
77:42:08:6f:19:4a:05:87:c9:98:77:c3:a3:3f:6e:
db:bb:a8:c0:d2:b6:ba:73:30:60:f5:1f:94:e2:a9:
2f:e6:10:53:4d:70:93:f6:af:c0:ba:4f:c4:4a:57:
6c:44:aa:1b:09:97:03:a8:82:ec:c9:e0:cc:9e:3e:
85:58:1b:ce:3f:82:6e:6f:d3:70:42:a7:dd:6e:a3:
3e:0e:d5:61:6b:a6:9b:b8:df:d9:e3:8a:9b:fc:c1:
4c:2c:bd:fe:ae:92:27:61:02:03:fd:98:4a:0d:c3:
5b:02:07:55:3d:cc:eb:69:3e:66:d1:73:33:2b:63:
20:c1:5a:a1:5a:c6:26:83:0f:dc:58:69:8a:9a:97:
b3:e1:ed:a7:4a:a2:10:43:64:0d:4f:ec:7f:c9:93:
17:5f:b8:2c:14:2d:50:e7:f9:b7:07:0f:77:96:f4:
d4:e8:79:9e:e0:73:40:95:ef:99:15:9c:8f:fb:59:
b2:7a:99:fc:7b:db:33:88:cc:49:b5:00:57:9d:df:
ac:ae:12:96:a5:56:30:b3:84:93:b8:66:69:9f:27:
17:d7:af:7e:94:20:22:87:40:83:3f:c7:04:84:5e:
a2:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:88:33:DB:F3:EF:80:2B:4F:03:05:32:4D:EA:E5:28:4D:39:84:21:32
X509v3 Subject Key Identifier:
D5:62:EE:F7:C5:89:A0:0B:51:D5:7E:CA:66:21:D6:7C:87:0E:36:0A:C1:06:DC:EE:2E:03:56:91:09:25:26:E8
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
email:d...@domain1.dcdt31.healthit.gov
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.dcdt31.healthit.gov:10080/dcdt31.healthit.gov_ca_root.crl
Authority Information Access:
CA Issuers - URI:http://pki.dcdt31.healthit.gov:10080/dcdt31.healthit.gov_ca_root.cer
Signature Algorithm: sha256WithRSAEncryption
6a:8c:0b:69:04:03:a6:9c:36:09:94:b9:e0:9b:3e:e2:e3:ee:
e7:8f:44:66:91:93:ac:74:ad:21:18:ea:64:c6:a0:15:dc:8b:
eb:3d:11:76:f1:6b:b7:7f:82:53:45:36:04:02:f4:a3:f7:e5:
eb:2b:8a:a4:9f:52:7d:9b:b0:39:ad:95:3b:3e:03:bf:7e:95:
d3:11:1f:94:96:bc:49:88:e5:fe:ec:f5:28:ad:2c:86:11:b9:
10:4b:13:af:77:47:bf:f5:0e:3c:94:ac:41:71:a5:d2:f5:e8:
ef:18:da:42:0a:3b:d4:bc:96:bb:1c:34:13:a0:ee:15:b4:44:
a6:1b:e1:50:67:96:c3:70:de:39:36:ad:7c:86:70:56:7a:dc:
3f:15:b1:d8:14:25:38:76:04:a8:69:89:8d:fb:81:df:fe:20:
b5:1c:ca:5a:66:0b:95:1f:df:25:8c:db:06:11:31:2e:88:54:
00:a5:96:ff:94:3e:83:d6:48:4d:9f:b2:b3:29:7c:2b:43:15:
e5:0b:ef:58:27:f2:0e:93:60:87:2d:54:74:e7:e0:e7:ae:84:
74:3a:62:dd:b5:ae:04:27:96:90:c5:56:dd:29:f6:c1:a5:1f:
e2:f5:d0:ac:04:ef:0a:aa:9a:4c:70:7e:26:f9:93:08:0d:ca:
b9:57:b7:1d
The root from the test tool, dcdt31.healthit.gov_ca_root.der is:
The address bound DNS cert for. d...@domain1.dcdt31.healthit.gov
is
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = dcdt31.healthit.gov_ca_root
Validity
Not Before: Feb 4 15:37:51 2022 GMT
Not After : Feb 5 01:49:51 2032 GMT
Subject: emailAddress = d...@domain1.dcdt31.healthit.gov, CN = D1_valA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c7:3d:62:68:80:0a:ba:cc:25:35:cd:4e:9a:af:
81:80:bd:16:fa:6e:30:93:4b:39:b5:f4:4f:7c:13:
77:42:08:6f:19:4a:05:87:c9:98:77:c3:a3:3f:6e:
db:bb:a8:c0:d2:b6:ba:73:30:60:f5:1f:94:e2:a9:
2f:e6:10:53:4d:70:93:f6:af:c0:ba:4f:c4:4a:57:
6c:44:aa:1b:09:97:03:a8:82:ec:c9:e0:cc:9e:3e:
85:58:1b:ce:3f:82:6e:6f:d3:70:42:a7:dd:6e:a3:
3e:0e:d5:61:6b:a6:9b:b8:df:d9:e3:8a:9b:fc:c1:
4c:2c:bd:fe:ae:92:27:61:02:03:fd:98:4a:0d:c3:
5b:02:07:55:3d:cc:eb:69:3e:66:d1:73:33:2b:63:
20:c1:5a:a1:5a:c6:26:83:0f:dc:58:69:8a:9a:97:
b3:e1:ed:a7:4a:a2:10:43:64:0d:4f:ec:7f:c9:93:
17:5f:b8:2c:14:2d:50:e7:f9:b7:07:0f:77:96:f4:
d4:e8:79:9e:e0:73:40:95:ef:99:15:9c:8f:fb:59:
b2:7a:99:fc:7b:db:33:88:cc:49:b5:00:57:9d:df:
ac:ae:12:96:a5:56:30:b3:84:93:b8:66:69:9f:27:
17:d7:af:7e:94:20:22:87:40:83:3f:c7:04:84:5e:
a2:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:88:33:DB:F3:EF:80:2B:4F:03:05:32:4D:EA:E5:28:4D:39:84:21:32
X509v3 Subject Key Identifier:
D5:62:EE:F7:C5:89:A0:0B:51:D5:7E:CA:66:21:D6:7C:87:0E:36:0A:C1:06:DC:EE:2E:03:56:91:09:25:26:E8
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
email:d...@domain1.dcdt31.healthit.gov
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.dcdt31.healthit.gov:10080/dcdt31.healthit.gov_ca_root.crl
Authority Information Access:
CA Issuers - URI:http://pki.dcdt31.healthit.gov:10080/dcdt31.healthit.gov_ca_root.cer
Signature Algorithm: sha256WithRSAEncryption
6a:8c:0b:69:04:03:a6:9c:36:09:94:b9:e0:9b:3e:e2:e3:ee:
e7:8f:44:66:91:93:ac:74:ad:21:18:ea:64:c6:a0:15:dc:8b:
eb:3d:11:76:f1:6b:b7:7f:82:53:45:36:04:02:f4:a3:f7:e5:
eb:2b:8a:a4:9f:52:7d:9b:b0:39:ad:95:3b:3e:03:bf:7e:95:
d3:11:1f:94:96:bc:49:88:e5:fe:ec:f5:28:ad:2c:86:11:b9:
10:4b:13:af:77:47:bf:f5:0e:3c:94:ac:41:71:a5:d2:f5:e8:
ef:18:da:42:0a:3b:d4:bc:96:bb:1c:34:13:a0:ee:15:b4:44:
a6:1b:e1:50:67:96:c3:70:de:39:36:ad:7c:86:70:56:7a:dc:
3f:15:b1:d8:14:25:38:76:04:a8:69:89:8d:fb:81:df:fe:20:
b5:1c:ca:5a:66:0b:95:1f:df:25:8c:db:06:11:31:2e:88:54:
00:a5:96:ff:94:3e:83:d6:48:4d:9f:b2:b3:29:7c:2b:43:15:
e5:0b:ef:58:27:f2:0e:93:60:87:2d:54:74:e7:e0:e7:ae:84:
74:3a:62:dd:b5:ae:04:27:96:90:c5:56:dd:29:f6:c1:a5:1f:
e2:f5:d0:ac:04:ef:0a:aa:9a:4c:70:7e:26:f9:93:08:0d:ca:
b9:57:b7:1d
The root from the test tool, dcdt31.healthit.gov_ca_root.der is:
openssl x509 -inform der -in dcdt31.healthit.gov_ca_root.der -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = dcdt31.healthit.gov_ca_root
Validity
Not Before: Feb 28 16:44:26 2025 GMT
Not After : Mar 1 02:56:26 2035 GMT
Subject: CN = dcdt31.healthit.gov_ca_root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:89:ee:cf:75:13:fd:35:05:ca:68:92:a6:18:32:
b2:a7:87:5c:c2:74:04:e8:2d:e0:e8:0f:9d:eb:23:
e7:05:93:ae:92:28:73:33:6e:74:5a:fe:f2:59:6d:
a2:86:cf:73:19:48:10:8e:b5:29:26:0d:9d:32:1a:
d8:80:4c:42:98:13:50:f4:1d:32:3f:9f:37:e5:ae:
83:b0:6e:db:32:ee:dd:84:e4:fa:d6:5a:85:5f:9c:
4a:0c:37:b7:65:b3:29:b0:7a:d9:4e:e0:b9:bb:50:
0c:a4:6f:1b:23:76:bc:56:e3:ba:97:7a:03:bf:03:
fb:92:6f:cb:98:93:ea:75:a1:34:b8:5e:aa:fd:f6:
41:ad:31:f8:6d:e0:36:c1:70:7c:72:84:59:c9:be:
2e:a0:3d:07:7f:db:d4:0f:a3:05:b8:ff:1f:fb:bf:
95:75:b3:8d:cb:0d:f9:9f:dc:9a:c1:e8:75:c5:ac:
c3:3e:51:f3:9d:c1:e1:4e:1f:d1:ec:17:37:be:da:
81:b3:03:10:3d:2b:97:62:d6:c3:a4:5b:41:f8:46:
78:f3:28:96:ec:09:ed:d0:73:b5:9e:a3:97:16:2c:
52:79:96:e3:8c:a6:64:cf:43:7f:69:57:89:69:47:
43:2d:2d:7e:c7:c6:33:3d:2d:c8:fa:3f:28:8e:a1:
4e:81
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
55:EC:CC:D2:00:A1:A9:A5:53:DF:2B:74:5A:D8:D5:2D:0F:7B:0B:47:97:F0:78:6B:20:CD:93:7F:41:94:1B:B7
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
75:97:1a:57:e8:93:c0:b2:10:8a:01:a8:23:c1:b8:6f:07:43:
f7:0e:ba:97:7b:ff:fd:75:b8:68:58:f8:10:94:55:28:e4:f2:
38:88:72:bf:22:4a:4e:74:4e:81:f4:0f:8e:d6:2c:df:71:a0:
74:c1:21:be:27:85:5f:e0:ee:b9:ba:4f:a0:bb:c6:de:31:1e:
9d:c9:53:8d:72:63:ee:37:0e:93:bf:fa:f5:4a:ce:ca:23:30:
88:82:98:30:82:1d:1a:6e:11:f9:d2:59:f5:c1:99:ed:f5:6d:
00:5b:34:39:3c:e8:e5:cb:19:4f:1b:38:76:6f:11:46:da:9c:
b9:4f:c7:fa:6d:cd:9f:64:9c:76:5f:0d:2c:0d:08:7e:bc:9a:
80:38:c0:c8:8f:7d:68:39:25:48:0e:f3:db:4c:8a:f7:d6:2f:
a8:32:80:cd:96:50:e8:8d:73:bf:21:7d:c6:c3:49:89:52:09:
29:c4:1d:da:0a:96:52:09:54:c6:47:e7:f1:f2:46:e1:43:11:
e1:46:7e:a1:e7:85:7c:43:f5:aa:cd:68:44:74:e6:1d:c6:dd:
1a:cb:76:6a:68:69:3f:c8:d8:88:e9:87:76:3b:4a:f0:a8:5d:
32:dd:24:ad:17:69:26:77:59:da:60:da:90:06:6f:68:a8:82:
2f:73:00:ce
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = dcdt31.healthit.gov_ca_root
Validity
Not Before: Feb 28 16:44:26 2025 GMT
Not After : Mar 1 02:56:26 2035 GMT
Subject: CN = dcdt31.healthit.gov_ca_root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:89:ee:cf:75:13:fd:35:05:ca:68:92:a6:18:32:
b2:a7:87:5c:c2:74:04:e8:2d:e0:e8:0f:9d:eb:23:
e7:05:93:ae:92:28:73:33:6e:74:5a:fe:f2:59:6d:
a2:86:cf:73:19:48:10:8e:b5:29:26:0d:9d:32:1a:
d8:80:4c:42:98:13:50:f4:1d:32:3f:9f:37:e5:ae:
83:b0:6e:db:32:ee:dd:84:e4:fa:d6:5a:85:5f:9c:
4a:0c:37:b7:65:b3:29:b0:7a:d9:4e:e0:b9:bb:50:
0c:a4:6f:1b:23:76:bc:56:e3:ba:97:7a:03:bf:03:
fb:92:6f:cb:98:93:ea:75:a1:34:b8:5e:aa:fd:f6:
41:ad:31:f8:6d:e0:36:c1:70:7c:72:84:59:c9:be:
2e:a0:3d:07:7f:db:d4:0f:a3:05:b8:ff:1f:fb:bf:
95:75:b3:8d:cb:0d:f9:9f:dc:9a:c1:e8:75:c5:ac:
c3:3e:51:f3:9d:c1:e1:4e:1f:d1:ec:17:37:be:da:
81:b3:03:10:3d:2b:97:62:d6:c3:a4:5b:41:f8:46:
78:f3:28:96:ec:09:ed:d0:73:b5:9e:a3:97:16:2c:
52:79:96:e3:8c:a6:64:cf:43:7f:69:57:89:69:47:
43:2d:2d:7e:c7:c6:33:3d:2d:c8:fa:3f:28:8e:a1:
4e:81
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
55:EC:CC:D2:00:A1:A9:A5:53:DF:2B:74:5A:D8:D5:2D:0F:7B:0B:47:97:F0:78:6B:20:CD:93:7F:41:94:1B:B7
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
75:97:1a:57:e8:93:c0:b2:10:8a:01:a8:23:c1:b8:6f:07:43:
f7:0e:ba:97:7b:ff:fd:75:b8:68:58:f8:10:94:55:28:e4:f2:
38:88:72:bf:22:4a:4e:74:4e:81:f4:0f:8e:d6:2c:df:71:a0:
74:c1:21:be:27:85:5f:e0:ee:b9:ba:4f:a0:bb:c6:de:31:1e:
9d:c9:53:8d:72:63:ee:37:0e:93:bf:fa:f5:4a:ce:ca:23:30:
88:82:98:30:82:1d:1a:6e:11:f9:d2:59:f5:c1:99:ed:f5:6d:
00:5b:34:39:3c:e8:e5:cb:19:4f:1b:38:76:6f:11:46:da:9c:
b9:4f:c7:fa:6d:cd:9f:64:9c:76:5f:0d:2c:0d:08:7e:bc:9a:
80:38:c0:c8:8f:7d:68:39:25:48:0e:f3:db:4c:8a:f7:d6:2f:
a8:32:80:cd:96:50:e8:8d:73:bf:21:7d:c6:c3:49:89:52:09:
29:c4:1d:da:0a:96:52:09:54:c6:47:e7:f1:f2:46:e1:43:11:
e1:46:7e:a1:e7:85:7c:43:f5:aa:cd:68:44:74:e6:1d:c6:dd:
1a:cb:76:6a:68:69:3f:c8:d8:88:e9:87:76:3b:4a:f0:a8:5d:
32:dd:24:ad:17:69:26:77:59:da:60:da:90:06:6f:68:a8:82:
2f:73:00:ce
The AIA value from the address bound certificate:
keyid:88:33:DB:F3:EF:80:2B:4F:03:05:32:4D:EA:E5:28:4D:39:84:21:32
Does not match the Subject Key identifier in the root ca:
55:EC:CC:D2:00:A1:A9:A5:53:DF:2B:74:5A:D8:D5:2D:0F:7B:0B:47:97:F0:78:6B:20:CD:93:7F:41:94:1B:B7
Eric
Eric Mears
Mar 17, 2025, 12:31:00 PMMar 17
to Edge Test Tool (ETT)
The address bound cert was issued Feb 4 15:37:51 2022 GMT before the root cert, which was issued Feb 28 16:44:26 2025 GMT
Eric
Greg Gurr
Mar 18, 2025, 11:14:17 AMMar 18
to Edge Test Tool (ETT)
Is there an estimate on when this issue with the DCDT cert will be resolved? I am unable to run several tests required for the Direct Trust Accreditation self-assessment because of this error.
Please share an update on when this will be resolved. Thank you
Kim Poletti
Mar 19, 2025, 12:39:05 PMMar 19
to Edge Test Tool (ETT)
Hi - Thanks for reaching out. This has been
logged for review and a member of the team will reach out in the near future.
James Spillman
Apr 3, 2025, 2:51:14 PMApr 3
to Edge Test Tool (ETT)
DNS domain and address bound certificates have been updated. Can you try
the D1 test again? If you haven't already done so you'll need to
reinstall the DCDT trust anchor.
Greg Gurr
Apr 10, 2025, 7:08:18 PMApr 10
to Edge Test Tool (ETT)
I installed the cert that downloads from this site: https://site.healthit.gov/direct/dcdt
When I tried to send a Direct message to "d...@domain1.dcdt31.healthit.gov" as per the Direct Trust instructions, I am still seeing this error in my log file:
Caused by: org.bouncycastle.jce.provider.AnnotatedException: TrustAnchor found but certificate validation failed.
at org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(Unknown Source) [bcprov-jdk15-140.jar:1.40.0]
... 154 more
Caused by: java.security.SignatureException: Signature does not match.
at org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(Unknown Source) [bcprov-jdk15-140.jar:1.40.0]
... 154 more
Caused by: java.security.SignatureException: Signature does not match.
Still have the same issue.
Is there another place I am supposed to download this cert from?
Thanks
Greg
Arslan Iqbal
Apr 11, 2025, 2:54:30 PMApr 11
to Edge Test Tool (ETT)
For SITE/ETT team's internal reference only: SITE-4553
Greg Gurr
Apr 17, 2025, 10:50:49 AMApr 17
to Edge Test Tool (ETT)
Is there a different site that I should download the dcdt certificate from? The one that we download from the site in the Testing tool has a signature that does NOT match.
Any updates on when this certificate issue could be resolved?
Thanks
Greg
James Spillman
Apr 18, 2025, 10:08:14 AMApr 18
to Edge Test Tool (ETT)
That is the correct location to download the dcdt trust anchor. The expiration date should be 2/28/2035. Can you re-install it and try again? This trust anchor is working for our internal tests and for other users.
Greg Gurr
Apr 22, 2025, 7:36:12 PMApr 22
to Edge Test Tool (ETT)
I downloaded the certificate "dcdt31.healthit.gov_ca_root.der" and installed it. The MD5 for this cert is: 6C:66:02:4C:0F:38:BD:0E:A7:1C:BB:6C:22:93:A1:B5
When I try to send a Direct message to the address: "d...@domain1.dcdt31.healthit.gov" I am still seeing this error:
Caused by: org.bouncycastle.jce.provider.AnnotatedException: TrustAnchor found but certificate validation failed.
at org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(Unknown Source) [bcprov-jdk15-140.jar:1.40.0]
... 154 more
Caused by: java.security.SignatureException: Signature does not match.
at org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(Unknown Source) [bcprov-jdk15-140.jar:1.40.0]
... 154 more
Caused by: java.security.SignatureException: Signature does not match.
Can someone please help me resolve this issue? Does the MD5 that I showed above match the MD5 for the certificate for anyone else for who it is working?
Sai Valluripalli
Apr 24, 2025, 11:18:36 AMApr 24
to Edge Test Tool (ETT)
Hi,
You have to download our new certificate and install to make this test working.
Here is the link to download the new certificate: https://site.healthit.gov/direct/dcdt , once you scroll down to Discover DCDT Certificate section, step1 has link to download the certificate.
Hope this helps.
Thanks,
Sai
Greg Gurr
Apr 25, 2025, 6:18:35 PMApr 25
to Edge Test Tool (ETT)
Hi Sai,
That is exactly what I did. I went to the site
https://site.healthit.gov/direct/dcdt , and scrolled to the site shown on the screen for step 1.
This is the certificate I have installed twice and I get the same error message I posted previously (signature does not match).
Can someone verify the MD5 for their certificate that works matches the MD5 I posted for the certificate I installed? MD5 for the cert I installed is: 6C:66:02:4C:0F:38:BD:0E:A7:1C:BB:6C:22:93:A1:B5
What else could be the issue if this works for everyone else?
Thanks
Greg
Eric Mears
May 8, 2025, 3:20:48 PMMay 8
to Edge Test Tool (ETT)
While the leaf certificate has been updated, the leaf cert, does not link up to the CA certificate.
The leaf certificate (emailAddress = d...@domain1.dcdt31.healthit.gov, CN = D1_valA) has an AIA of :
X509v3 extensions:
X509v3 Authority Key Identifier:
X509v3 Authority Key Identifier:
keyid:51:50:E4:63:81:42:0E:9B:0D:4A:9D:61:D1:6D:5C:C4:1D:C7:1B:45
Which does not match the Subject Key Identifier of the issuing certificate (CN = dcdt31.healthit.gov_ca_root):
X509v3 extensions:
X509v3 Subject Key Identifier:
55:EC:CC:D2:00:A1:A9:A5:53:DF:2B:74:5A:D8:D5:2D:0F:7B:0B:47:97:F0:78:6B:20:CD:93:7F:41:94:1B:B7
X509v3 Subject Key Identifier:
55:EC:CC:D2:00:A1:A9:A5:53:DF:2B:74:5A:D8:D5:2D:0F:7B:0B:47:97:F0:78:6B:20:CD:93:7F:41:94:1B:B7
The chain does not validate.
Eric
James Spillman
May 22, 2025, 1:35:42 PMMay 22
to Edge Test Tool (ETT)
We are currently investigating this scenario to determine whether the certificate used in this test reflects a valid conformance case.
We’ll provide an update once our investigation is complete and any required changes to the test or guidance are finalized.
We’ll provide an update once our investigation is complete and any required changes to the test or guidance are finalized.
James Spillman
Jun 25, 2025, 11:06:25 AMJun 25
to Edge Test Tool (ETT)
A new version of DCDT has been deployed that includes a fix for the identifier mismatch. DNS entries have not been updated yet, but LDAP tests should now have matching identifiers between leaf certs and the trust anchor. Can you install the new trust anchor and try the LDAP tests, such as 3 and 4?
James Spillman
Jun 30, 2025, 12:06:21 PMJun 30
to Edge Test Tool (ETT)
DNS certificates have been updates, can you try the tests again now?
Reply all
Reply to author
Forward
0 new messages