PKI (or Public Key Infrastructure) enables secure communication between computers. The "keys" are little computer documents called digital certificates. PKI relies on different components all playing nicely together in your computer. Here we explain the components you control and how to set them up.


Follow these instructions carefully. Read each step before doing it. We recommend you print them out first.
We've designed this to be as easy-to-follow as possible. But we would love to improve it. So if you have any suggestions, please email us at

Before you start

Before you start you will need:

  1. The things shown above in the infographic (depending on what you're doing).
  2. Firefox (for Individual keys). Firefox is needed because PKI doesn't work well with other web browsers.
  3. You may need the password of an Administrator account on your computer.

Next section: How to Install

How to Install

To install individual PKI you start with the Chain of Trust:

Install Chain of Trust

Organisation PKI is installed in either your clinical or secure messaging software. The vendors of the software provide instructions for you. Click the button below for a list of links to instructions.

Install Organisation PKI

Install Chain of Trust

Chain of Trust icon

The Chain of Trust is like a keyhole. It needs to be in place before you can use your Individual keys. It's made of 3 certificates you install into Firefox. When installed, the certificates will be saved as pictured below in Step 2.


Following the steps below is a bit tricky because you need to read the instructions, download the files in Step 3, and use Firefox, all at the same time. If you're comfortable with switching between windows and tabs you should be okay. If not, you could either get someone who is comfortable to help you out, or try printing them out and doing Steps 3 through to 8 first.
  1. Open Firefox.
  2. Check if the Chain of Trust certificates are already installed.
    • Click the Tools menu (or the Tools icon icon at the top-right of the window), then click Options.
    • Click on the Advanced tab from the menu down the left-hand side.
    • Click Certificates.
    • Click View Certificates.
    • Click on the Authorities tab.
    • You should see a long list of certificates grouped and in alphabetical order. Scroll down through the list and look for a group called "GOV" (you won't find it if it hasn't been installed).
    • If you didn't find the three certificates under "GOV" (as shown below) continue to the next step. If you did, then the certificates are already installed. Click the OK button to close the list.
      Chain of Trust installed screenshot

  3. Right-click on each of the links below and select to save them to your computer. Note that it's very important you know where you're saving them to (it's usually your Downloads folder).




  4. Go to your computer's Desktop.
  5. Create a folder on the Desktop called "Chain of Trust" and open the folder.
  6. Go to the location on your computer where you downloaded the files in Step 3.
  7. Double-click to open the first file. It should display a certificate. Copy this certificate into the "Chain of Trust" folder you created in Step 5.
  8. Repeat Step 7 for the other two files. When finished, you should see the folder containing the three certificates as shown below:
    Chain of Trust folder

  9. Open Firefox.
  10. Click the Tools menu (or the Tools icon icon at the top-right of the window), then click Options.
  11. Click on the Advanced tab from the menu down the left-hand side.
  12. Click Certificates.
  13. Click View Certificates.
  14. Click on the Authorities tab.
  15. Click the Import button.
  16. Navigate to the "Chain of Trust certificates" folder on your Desktop. Select the first certificate and click Open. You should then see the Downloading Certificate screen. Tick each Trust box as shown below, then click Ok.
    Certificate import screen

  17. Repeat step 16 for the other two certificates.
  18. Congratulations, you should now have the Chain of Trust certificates installed. Scroll through the list as described in Step 2 to check.

Did you get stuck? If so, call the Medicare eBusiness Centre on 1800 700 199.

Next section: Install Individual Token Manager

Install Individual Token Manager

Before installing, ensure you have worked through the Before you start section above. If you have problems, you can stop/cancel the process and start again.

  1. It may not be necessary, but we recommend restarting the computer first, then immediately doing the following steps.
  2. Insert the Token Software Installer CD (pictured right) into your computer.
  3. Open the folder to view the files on the CD.
  4. Double-click on the SafeSign-Identity-Client file to run the install process.
  5. Follow the prompts to install. Most prompts simply require you to click the Next button.
    • When prompted, ensure you accept the terms of the license agreement.
    • If it appears that nothing is happening, try moving the install window to one side. You may find that there is another prompt sitting behind the window that needs to be actioned and closed.
  6. When finished, eject the CD from your computer.
CD installer

Did you get stuck? If so, call the Medicare eBusiness Centre on 1800 700 199.

Next section: Use Individual Certificate

Use Individual Certificate

You will be using the USB token which must have the SIM inserted into it (as shown in the infographic above).

  1. Insert the USB token into your computer. Wait 10 seconds. If the light in the token stays a constant green (i.e. doesn't flash) then the Certificate is already installed and you don't need to go any further.
  2. Check installed certificates.
    • Click the Tools menu (or the Tools icon icon at the top-right of the window).
    • Click the Options menu.
    • Click on the Advanced tab from the menu down the left-hand side.
    • Click Certificates.
    • Click View Certificates. If you're asked for your master password, enter the PIC for your Individual certificate. The PIC is sent from Medicare in an envelope (like shown below):

    • Click on the Your Certificates tab. If you don't see two certificates in your name under the heading of "GOV" as shown below, then continue with the following steps. If you do see them, then your certificates are already installed and you should be able to connect. Click the Ok button to close the list.
      Your Certificates

  3. Click the Ok button to close the list.
  4. Click the Security Devices button.
  5. Click the Load button.
  6. Type "CSSI" into the Module Name field as shown below.
    Load PKI screen

  7. Click the Browse button and navigate to C:\WINDOWS\system32. There is a long list of folders and files in this folder.
  8. Go back to the screen and scroll down past the folders and look for the correct file (note that if you select the wrong file it will warn you and prompt you to try again):
    • Look at your token to check what type it is (if you need to, it's okay to take it out of the computer and put it in again).
      • If you have a smart card or a Gemalto USB token, select the file called cmp11.dll.
      • If you have an older USB token, select the file called dkck201.dll.
  9. Click OK after selecting the file. You may need to wait 2 or 3 seconds.
  10. The Device Manager window should now be displayed. You should see your name under the Smart Card section, and the USB token should stop flashing.
  11. Click OK.
  12. Repeat Step 2 to check that you've successfully loaded your certificates.

Did you get stuck? If so, try repeating the above steps using the Chrome browser, or call the Medicare eBusiness Centre on 1800 700 199.

Organisation (or Site) PKI

The Medicare Organisation PKI is used for online claiming and to access the Healthcare Identifiers service.

The NASH Organisation PKI is used to access the My Health Record.

Click on the relevant link below to see install instructions for the software you're using:

Renewal of Organisation (or Site) certificates


Medicare Site certificates renew automatically via the installed PKI Certificate Manager. However, the clinical software may not automatically install the updated certificate. The links to the install instructions directly above explain how to import it into the clinical software.


Each month, Medicare's eBusiness Centre is given a list of clinics that are 60 days out from a NASH expiring. Assuming the registration details are correct, a CD is sent out to the clinic after a few days.

When the clinic receives the CD, it must update the clinical software and also SMD product (i.e. this is not done automatically).

If for whatever reason a NASH is not received, the revoke/renew form is required to be filled in and returned to eBusiness for processing and sending of a new one.

Since late 2016, expiry dates are printed on the NASH CDs. For CDs issued prior to this change, the only way of finding out when a NASH expires is via the Certificates Australia website (which needs a NASH to work) or some clinical software programs (e.g. Medical Director) have a section showing when the site certificate and NASH expire, however others don’t.

Back to the top