SSL certificates
We traditionally request certificates from one of our certified certificate authorities (CAs) Globalsign or DigiCert (currently our preferred provider). This may alter between them depending on the procurement process (every 12 months). All users will be notified ahead of time should the supplier change.
The certificate can be created manually or generated and renewed automatically via Azure Key Vault. Both automatic and manual options are presented here.
Certificates generated on the CAs are paid for centrally by the Platform support team.
This documentation doesn’t apply to Azure managed certificates in App service or Front door.
Create account
Use the External Digital Certificates form on the service portal and choose: Request type: Request an account
Generate manually
Create CSR and private key
Using openssl:
openssl req -nodes -out CSR.csr -new -newkey rsa:2048 -keyout privatekey.key
Use similar details as:
Country Name (2 letter code) []:GB
State or Province Name (full name) []:Greater Manchester
Locality Name (eg, city) []:Manchester
Organization Name (eg, company) []:Department for Education
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:development.additional-teaching-payment.education.gov.uk (don’t use a wildcard if possible, use multiple SANs instead)
Email Address []:capt-dev@digital.education.gov.uk (use a team email)
Keep the private key safe, for example in a production key vault.
SAN: additional domain names
One certificate can cover mutiple domains in addition to the CN above by using Subject Alternate Names (SAN). SANs are half the price of a full certificate so they should be used whenever and wherever possible.
Digicert allows adding SANs interactively during the request process.
Or prepare an openssl config file, such as this san.cnf:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Greater Manchester
localityName = Manchester
organizationName = Department of Education
commonName = additional-teaching-payment.education.gov.uk
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.additional-teaching-payment.education.gov.uk
DNS.2 = staging.additional-teaching-payment.education.gov.uk
Then run:
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
And confirm the answers interactively.
Request new certificate in DigiCert
- Login to Digicert with your own account
- Select
Request a certificate
thenSecure Site OV
- Paste the CSR
- Choose coverage for 1 or 2 years
- Add organization: Department For Education
- Additional emails: your team email
- Click
Submit request
Request new certificate in Globalsign
- Open Globalsign portal
- Select Managed SSL
- Choose Order Certificate from either Department for Education or Education & Skills Funding Agency
- Paste the CSR created above
- Check this CSR, Continue
- Products: OrganizationSSL
- SSL Certificate Type: Single Domain Certificate
- Point of contact must have a team email email address, not an individual
- Tick box Is this the Point of Contact for communications?
- Continue until
Complete
The Platform support team will receive the request, validate and you will receive an email with the certificate in PEM (.cer) format.
Convert to pfx format
It may be required to convert to pfx format, especially in Azure. It replaces pem certificate+private key with pfx certificate+password.
Using openssl:
openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in cert.cer
Automatic via key vault
Azure key vault can generate, renew and store the certificate automatically.
Key vault account
A special “Key vault account” is required and must be approved on case by case basis. It can be requested via the Non-standard / Any Other Request service portal form. The business service is Shared IT core services and the offering is SSL Certificate Authority Systems (external).
Digicert CA
- If you don’t have an API key, first login to Digicert with the Key vault account
- Click on
API keys
thenAdd API key
- Add a description
- API key restrictions: orders
- Click
Add API key
and keep note of the key. Ideally store it in a production Key vault secret.
In Key vault, click on Certificates
, then Certificate Authorities
, then +
:
- Provider: Digicert
- Account ID: Cert central account number 1446606
- Account Password: API key as above
- Organization ID: CertCentral Department For Education Organization ID: 877555
Globalsign CA
In Key vault, click on Certificates
, then Certificate Authorities
, then +
:
- Provider: Globalsign
- Account ID: Key vault account username
- Account Password: Key vault account password
- E-mail of Administrator: The contact details should be for a team, not an individual
Create certificate
Create a certificate
- Method: Generate
- Name: Unique name (usually the subdomain)
- Type of CA: integrated
- CA: the CA created above
- Subject (example):
C=GB, ST=Greater Manchester, L=Manchester, O=Department for Education, CN=claim-additional-teaching-payment.service.gov.uk
- DNS Names: list of additional domain names (SANs) to be covered by this certificate
- Validity: 12 months
- Content type: PKCS #12
- Lifetime action type: Automatically renew at a given number of days before expiry
- Number of days: 30
Click Create
Click Certificate Operation and wait for result
For Digicert, you must provide a team email as additional contact. This can only be done on the website:
- Login as the Key Vault account
- Click on Requests, click on the certificate, click on the order number
- Under
Additional email recipients
clickAdd email
- Enter the email and save
Renewals
The certificates are monitored and owners are notified via email before expiry by either the provider or the Platform support team. If Key vault automated renewal is configured, this can be ignored.
Azure Front Door (AFD) Renewal
AFD should automatically renew SSL certificates, however there are times this process may get stuck.
- Login the azure portal
- Submit a PIM request
- Go to the associated AFD
- Go to domains section
- For the domain name, under ‘Validate State’ you’ll see ‘pending’. Note that the certificate type should be ‘AFD Managed’
- Regenerate the TXT records, this may take several attempts.
- Then click ‘update’ to update the ‘DNS record status’ which should show up after ‘regenerate’
- It will take approximately 5 mins to process.
- Confirm that the _dnsauth record for the entry has been updated in the DNS zone.
- Check statuscake, you should see that the certificate is updated. You may need to do a forced test.
Check certificate
In order to view certificate expiry details such as expiry date, etc., you can run the following command to download the certificate currently being used on a website. In this example, we are focusing on https://find-postgraduate-teacher-training.education.gov.uk :
echo -n | openssl s_client -connect find-postgraduate-teacher-training.education.gov.uk:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certoutput.cert
Once downloaded, you can run:
openssl x509 -in certoutput.cert -text