Student Management Systems (SMS) use a Device AUSkey to authenticate the connection with the USI Registry System.
A significant number of training organisations created their Device AUSkey in the first quarter of 2015 (just after the USI Registry System went live).
A Device AUSkey has an expiry date of two years after creation.
A Device AUSkey (about to expire) should automatically renew a few months prior to the expiry date, however issues exist that sometimes prevent the Auto-Renewal process from being successful.
This is due to either the Student Management System (SMS), or an organisation’s firewall settings, not permitting the AUSkey file to be updated by the renewal service.
An error, fault or exception error “Creator of this fault did not specify a reason” is often presented to the user.
Note: The keystore.xml must have permissions on it to allow an update. This should be checked with your IT support area.
The simplest option to rectify the issue is for the RTO’s AUSkey Administrator to obtain a new Device AUSkey to replace the one ’about to expire’.
The following information about the creation and renewal of device AUSkeys has been sourced from the Australian Business Register (ABR) website:- https://abr.gov.au/AUSkey/Help-and-support/AUSkey-Terms-and-Conditions/Certificate-Policy---Device-AUSkey/
3.3 Identification and authentication for Renewal Requests
AUSkey Device Certificates are renewed automatically. The renewal process is described in sections 4.5 and 4.6 below.
4.5 Certificate Renewal
4.5.1 Routine renewal
Device Certificates are renewed automatically as follows:
- Whenever an AUSkey Device Certificate is used, the AUSkey System checks the Certificate’s expiration date.
- If the system determines that the expiration date is near (within 14 months), a new AUSkey Device Certificate request is generated and signed using the old Certificate’s Keys (providing the necessary EOI for Certificate renewal).
Note: once the AUSkey has been renewed, expiry is again two years. If it is used after 10 months from its renewal date and before its expiration date, it is once again renewed. This means that a Device which uses an AUSkey only once a year would always have a current AUSkey.
- The PKCS#10 Certificate request is sent to the AUSkey Manager and then forwarded to the ABR RA.
- The ABR RA validates and checks the contents of the PKCS#10 data.
- The ABR RA signs the AUSkey Standard Certificate request.
- The ABR RA stores the signed request in the local ABR RA database.
- The ABR RA sends the request to the ABR CA.
- The ABR CA issues and returns a Certificate chain containing the new AUSkey Device Certificate, the ABR CA Certificate and the ABR RCA Certificate.
See Section 4.6 below for Certificate re-key.
4.5.2 Renewal after revocation
If an AUSkey Device Certificate is revoked it will not be renewed. Instead, a new Certificate must be applied for and issued (see sections 3.2, 4.1 and 4.2).
4.6 Certificate Re-Key
Certificate re-key is the process of generating a new Key Pair and issuing a new Certificate that certifies the new Public Key. All AUSkey Device Certificate renewals include re-keying as follows:
- Whenever an existing AUSkey Device Certificate is used, the AUSkey System checks the Certificate’s expiration date.
- If the AUSkey Device Certificate is due to expire within 14 months, the system initiates the renewal process (see section 4.5 above).
- The new AUSkey Device Certificate is generated and downloaded to the local key store (where the existing AUSkey is stored), silently, with no interaction with the Device Custodian.
- The next time the Device attempts to authenticate using the existing AUSkey Device Certificate, the system selects the new AUSkey Device Certificate, confirms that it is functioning, and overwrites the old AUSkey in the key store.
- The system generates and stores a confirmation that the AUSkey Device Certificate has been renewed successfully. This confirmation is not displayed in the user interface.
The AUSkey System has no limit on the number of renewals it will perform on a single Certificate.
If an AUSkey Device Certificate is not used within 14 months of its expiration date, it will expire at the end of its validity period (as set out in the Certificate Profile in section 7). The AUSkey System will not renew revoked or expired AUSkeys. Instead, a new Certificate must be applied for and issued (see sections 3.2, 4.1 and 4.2).
Renewing your Device AUSkey
If your SBR-enabled software or server doesn’t support automatic renewal your Device AUSkey will expire after two years. If you are unsure, an Administrator AUSkey user should register for a new Device AUSkey within two years.