Oliver's Guide to Coping With Certificates

This page covers most common problems MIT users encounter with MIT web certificates. If you have not encountered a problem or are just getting started, knock on wood and check out the General Instructions on Getting MIT Web Certificates.

Things you will find answers to on this page:

I'm getting a window asking for my Communicator Certificate DB password
I'm getting a window asking for my Netscape Password [GO THERE]
The certificate form is saying I typed an incorrect username or password! [GO THERE]
I am able to get certificates, but when I try to use them they are not there.
My certificates disappear every time I quit Netscape! [GO THERE]
I get an error saying that the server has rejected my certificate as expired
I get an error saying that the server cannot verify my certificate [GO THERE]
I am confused about who fixes which problems [GO THERE]
It's asking me for Six Secret Words! [GO THERE]
Internet Explorer is giving me an error when I try to get a certificate! [GO THERE]
Is it really okay to delete my certificates?
I would like to learn more about Certificates! [GO THERE]

Observed Behavior How To Deal With It

I'm getting a window asking for my Communicator Certificate DB password!
I'm getting a window asking for my Netscape Password. (Older versions of Netscape.)

You may at some point in the past have told Netscape to use a Netscape password. If so, you will get a dialog box like this when you try to connect to a secure site:
IMAGE: Netscape Password Dialog Box
If you do not remember this password, no one else can reset it for you! This password is stored in the Netscape preferences on your computer. You will need to erase the certificate files on your computer, and get a new certificate.

Step 1: Quit Netscape
Step 2: Remove the old files

On Athena
athena% add infoagents athena% clear-netscape-password
On the Macintosh
Look in folder Macintosh HD:System Folder:Preferences:Netscape Users:Username where Username is the name you gave to your Netscape profile. In the picture below, the name is Default. In this folder, remove the files Certificates 7 and Key Database 3 and drag them to the Trash.
Picture of location of files
If you are using Netscape 3.x, find all of the following files which exist: Certificates 5, Certificates 7, Certificates, Key Database and Key Database 3 in the folder System Folder:Preferences:Netscape:Security and drag them to the Trash.
On MS Windows
Using Windows Explorer or File Manager, go to the directory in which Netscape Navigator is installed (often C:\Program Files\Netscape\Communicator). Here you should find a folder named Users. Inside will be a folder for your User Profile. (In the diagram below the User Profile is named default. Yours may have a different name.) Delete the files cert7.db and key3.db.
Picture of location of files.
If you are using Netscape 3.x, find all of the following files which exist: cert5.db, cert7.db, cert.db, key.db and key3.db in the folder Netscape is installed in (often C:\Program Files\Netscape\Navigator) and delete them.

Step 3: Start up Netscape and go to http://web.mit.edu/is/help/cert/
Go to the two links in the Get Certificates Now section to get a new MIT Certificate Authority certificate and a new MIT personal certificate.
Step 4: If you decide to set another Communicator password, be careful not to forget it, or you will have to repeat these steps.

The certificate form is saying I typed an incorrect username or password!
Two possibilities here:

You actually did type an incorrect username or password
To fix it, type your correct username and password.
You did type your correct username and password but still get the same message
If you have gotten a certificate before, there is a chance that you clicked on the checkbox which said Check this box if, in the future when you obtain certificates, you want to use your second "secure" password instead of your Athena password. If so, you need to type your second password (formerly known as your SIS password, and sometimes as your Extra password) instead of your normal Athena password.
If you have forgotten your normal Athena password or your second password you will need to visit the Athena User Accounts Office with a picture ID.

I am able to get certificates, but when I try to use them they are not there.
My certificates disappear every time I quit Netscape!

There is a possibility for your Netscape certificate database to become corrupted. If this happens, Netscape may not give any errors at all. Indeed, everything will seem to be fine but it will not write your certificates to disk. So when you try use them they won't be there.
This can be frustrating and confusing. It can be caused by several things, but the most common culprit is not selecting the Allow this Certificate Authority for Certifying network sites check box when getting the MIT site certificate.
The only way to reliably fix this problem is to delete your certificate database and start over. The instructions under the "forgotten password" section will talk you through this process. [GO THERE]

I get a window saying that The Server has rejected my certificate as expired!
I get a window saying that The Server cannot verify my certificate!

If you get an error dialog like the one below, you should follow these two steps:

Step 1: Delete your old certificate
Click on the Security icon on your Navigator tool bar which will open the Netscape security preferences. Click on the word Yours under the Certificates heading on the left edge. Select your old certificate in the These are your certificates window, and click the Delete button. Click OK to close the security preferences window.
Step 2: Get a new certificate
Go to https://ca.mit.edu to get a new certificate.

Error messages indicating that your certificate expired can look either like this:
[The server has rejected your certificate as expired]
or like this:
[The server cannot verify your certificate]

I am confused about who fixes which problems.
We are too, sometimes. Here is a quick breakdown of the three general areas involved, and who to go to for help:
Problems with getting an electronic certificate
(either personal or site)
Problems with the stuff at http://bs.mit.edu/mitca.ca, https://ca.mit.edu, or questions about the documentation at http://web.mit.edu/is/help/cert/ or http://web.mit.edu/is/help/cert/cert.html: These services are maintained by the Network group and the Publications group, respectively. You can contact them through:
Athena Consulting (if you are using Athena) or
The Computing Helpdesk (if you are using a Mac or Windows box)

Problems with using WebSIS
after you have already gotten your certificates
You've successfully gotten your certificate, but you can't preregister or get an error doing something on student.mit.edu. You should contact the WebSIS support team at websis@mitsis.mit.edu. This email is monitored during regular business hours, Monday-Friday 9 am - 5 pm.
Problems with Netscape Navigator
If you need help using Netscape Navigator or getting rid of old certificate files, contact:
Athena Consulting (if you are using Athena) or
The Computing Helpdesk (if you are using a Mac or Windows box)

It's asking me for Six Secret Words! In the Fall of 1997, an initial passphrase in addition to a username and password was required of new students for security reasons. The new Java certificate server should never ask for these six words anymore. If you do get asked for six words somewhere, please contact Athena Consulting at x3-4435 or by typing olc at your athena% prompt.

Internet Explorer is giving me an error when I try to get a certificate!
Internet Explorer version 5.5 or later for Windows should work fine with the MIT certificate server. Make sure you are running the latest version. You can also download the latest MIT-supported version of Netscape Navigator from MIT if you prefer. There are both Windows and Macintosh versions available.
Note that Internet Explorer for Mac OS (any version) does not support personal certificates at all. If you know someone with pull at Microsoft, you may want to request that support be added.

I would like to learn more about Certificates!
Good for you! There are many documents out there pertaining to MIT web certificates. Aside from general instructions and troubleshooting tips, each contains a few unique pearls of wisdom.
The Information Systems Publications group publishes these seven documents:
Web Certificates at MIT (Table of Contents)
The Quick Guide to MIT Certificates
The Complete Guide to MIT Certificates
The Illustrated Guide to Obtaining MIT Certificates
(part of the Athena Tutorial)
Recommended Netscape Security Preferences for use with MIT Certificates
What to do when Personal Certificates expire
Another document on Certificate Expiration
Article in the IS News Letter about Certificates

The MIT Network Group has its own version of a certificate guide, found at:
Obtaining MIT Certificates

Jeff Schiller, MIT's Network Manager and all-around security guru, gives a great interview on Campus Certificate Authorities as part of the CREN Tech Talk Series. You can read the transcript or listen to a streaming audio archive. As with all of Jeff's talks, this one is both informative and entertaining.
Campus Certificate Authorities with guest expert Jeff Schiller

For general information on Netscape security and Netscape certificates see:
Netscape Security Solutions

Athena Consulting has a few stock answers on WebSIS and certificates here:
WEBSIS (CERTIFICATES) Answers

The MIT Libraries have an excellent page geared towards customers of MIT Libraries Computer Support. It is well organized and contains cross-references to most other certificate resources at MIT.
MIT Libraries Guide to Web Certificates

Athena User Accounts	accounts@mit.edu
Office location: N42 @ 211 Mass. Ave	Telephone: 617 253-1325
Walkin hours: MWF 2-5 & TR 9-12	Facsimile: 617 258-6176

Observed Behavior	How To Deal With It

*I'm getting a window asking for my Communicator Certificate DB* password!** I'm getting a window asking for my Netscape Password. (Older versions of Netscape.)	You may at some point in the past have told Netscape to use a Netscape password. If so, you will get a dialog box like this when you try to connect to a secure site: If you do not remember this password, no one else can reset it for you! This password is stored in the Netscape preferences on your computer. You will need to erase the certificate files on your computer, and get a new certificate. Step 1: Quit Netscape Step 2: Remove the old files On Athena `athena% add infoagents athena% clear-netscape-password` On the Macintosh Look in folder Macintosh HD:System Folder:Preferences:Netscape Users:Username where Username is the name you gave to your Netscape profile. In the picture below, the name is Default. In this folder, remove the files Certificates 7 and Key Database 3 and drag them to the Trash. If you are using Netscape 3.x, find all of the following files which exist: Certificates 5, Certificates 7, Certificates, Key Database and Key Database 3 in the folder System Folder:Preferences:Netscape:Security and drag them to the Trash. On MS Windows Using Windows Explorer or File Manager, go to the directory in which Netscape Navigator is installed (often C:\Program Files\Netscape\Communicator). Here you should find a folder named Users. Inside will be a folder for your User Profile. (In the diagram below the User Profile is named default. Yours may have a different name.) Delete the files cert7.db and key3.db. If you are using Netscape 3.x, find all of the following files which exist: cert5.db, cert7.db, cert.db, key.db and key3.db in the folder Netscape is installed in (often C:\Program Files\Netscape\Navigator) and delete them. Step 3: Start up Netscape and go to http://web.mit.edu/is/help/cert/ Go to the two links in the Get Certificates Now section to get a new MIT Certificate Authority certificate and a new MIT personal certificate. Step 4: If you decide to set another Communicator password, be careful not to forget it, or you will have to repeat these steps.

*The certificate form is saying I typed an incorrect username or password!*	Two possibilities here: You actually did type an incorrect username or password To fix it, type your correct username and password. You did type your correct username and password but still get the same message If you have gotten a certificate before, there is a chance that you clicked on the checkbox which said Check this box if, in the future when you obtain certificates, you want to use your second "secure" password instead of your Athena password. If so, you need to type your second password (formerly known as your SIS password, and sometimes as your Extra password) instead of your normal Athena password. If you have forgotten your normal Athena password or your second password you will need to visit the Athena User Accounts Office with a picture ID.

I am able to get certificates, but when I try to use them they are not there. My certificates disappear every time I quit Netscape!	There is a possibility for your Netscape certificate database to become corrupted. If this happens, Netscape may not give any errors at all. Indeed, everything will seem to be fine but it will not write your certificates to disk. So when you try use them they won't be there. This can be frustrating and confusing. It can be caused by several things, but the most common culprit is not selecting the Allow this Certificate Authority for Certifying network sites check box when getting the MIT site certificate. The only way to reliably fix this problem is to delete your certificate database and start over. The instructions under the "forgotten password" section will talk you through this process. [GO THERE]

*I get a window saying that The Server has rejected my certificate as expired!* I get a window saying that The Server cannot verify my certificate!	If you get an error dialog like the one below, you should follow these two steps: Step 1: Delete your old certificate Click on the Security icon on your Navigator tool bar which will open the Netscape security preferences. Click on the word Yours under the Certificates heading on the left edge. Select your old certificate in the These are your certificates window, and click the Delete button. Click OK to close the security preferences window. Step 2: Get a new certificate Go to https://ca.mit.edu to get a new certificate. Error messages indicating that your certificate expired can look either like this: or like this:

I am confused about who fixes which problems.	We are too, sometimes. Here is a quick breakdown of the three general areas involved, and who to go to for help: Problems with getting an electronic certificate (either personal or site) Problems with the stuff at http://bs.mit.edu/mitca.ca, https://ca.mit.edu, or questions about the documentation at http://web.mit.edu/is/help/cert/ or http://web.mit.edu/is/help/cert/cert.html: These services are maintained by the Network group and the Publications group, respectively. You can contact them through: Athena Consulting (if you are using Athena) or The Computing Helpdesk (if you are using a Mac or Windows box) Problems with using WebSIS after you have already gotten your certificates You've successfully gotten your certificate, but you can't preregister or get an error doing something on student.mit.edu. You should contact the WebSIS support team at websis@mitsis.mit.edu. This email is monitored during regular business hours, Monday-Friday 9 am - 5 pm. Problems with Netscape Navigator If you need help using Netscape Navigator or getting rid of old certificate files, contact: Athena Consulting (if you are using Athena) or The Computing Helpdesk (if you are using a Mac or Windows box)

*It's asking me for Six Secret Words!*	In the Fall of 1997, an initial passphrase in addition to a username and password was required of new students for security reasons. The new Java certificate server should never ask for these six words anymore. If you do get asked for six words somewhere, please contact Athena Consulting at x3-4435 or by typing `olc` at your `athena%` prompt.

Internet Explorer is giving me an error when I try to get a certificate!	Internet Explorer version 5.5 or later for Windows should work fine with the MIT certificate server. Make sure you are running the latest version. You can also download the latest MIT-supported version of Netscape Navigator from MIT if you prefer. There are both Windows and Macintosh versions available. Note that Internet Explorer for Mac OS (any version) does not support personal certificates at all. If you know someone with pull at Microsoft, you may want to request that support be added.

I would like to learn more about Certificates!	Good for you! There are many documents out there pertaining to MIT web certificates. Aside from general instructions and troubleshooting tips, each contains a few unique pearls of wisdom. The Information Systems Publications group publishes these seven documents: Web Certificates at MIT (Table of Contents) The Quick Guide to MIT Certificates The Complete Guide to MIT Certificates The Illustrated Guide to Obtaining MIT Certificates (part of the Athena Tutorial) Recommended Netscape Security Preferences for use with MIT Certificates What to do when Personal Certificates expire Another document on Certificate Expiration Article in the IS News Letter about Certificates The MIT Network Group has its own version of a certificate guide, found at: Obtaining MIT Certificates Jeff Schiller, MIT's Network Manager and all-around security guru, gives a great interview on Campus Certificate Authorities as part of the CREN Tech Talk Series. You can read the transcript or listen to a streaming audio archive. As with all of Jeff's talks, this one is both informative and entertaining. Campus Certificate Authorities with guest expert Jeff Schiller For general information on Netscape security and Netscape certificates see: Netscape Security Solutions Athena Consulting has a few stock answers on WebSIS and certificates here: WEBSIS (CERTIFICATES) Answers The MIT Libraries have an excellent page geared towards customers of MIT Libraries Computer Support. It is well organized and contains cross-references to most other certificate resources at MIT. MIT Libraries Guide to Web Certificates