Skip to main content

The DfE technical guidance and its content is intended for internal use by the DfE community.

SSL certificates

We traditionally request certificates from one of our certified certificate authorities (CAs) Globalsign or DigiCert (currently our preferred provider). This may alter between them depending on the procurement process (every 12 months). All users will be notified ahead of time should the supplier change.

The certificate can be created manually or generated and renewed automatically via Azure Key Vault. Both automatic and manual options are presented here.

Certificates generated on the CAs are paid for centrally by the Platform support team.

This documentation doesn’t apply to Azure managed certificates in App service or Front door.

Create account

Use the External Digital Certificates form on the service portal and choose: Request type: Request an account

Generate manually

Create CSR and private key

Using openssl:

openssl req -nodes -out CSR.csr -new -newkey rsa:2048 -keyout privatekey.key

Use similar details as:

Country Name (2 letter code) []:GB
State or Province Name (full name) []:Greater Manchester
Locality Name (eg, city) []:Manchester
Organization Name (eg, company) []:Department for Education
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:development.additional-teaching-payment.education.gov.uk (don’t use a wildcard if possible, use multiple SANs instead)
Email Address []:capt-dev@digital.education.gov.uk (use a team email)

Keep the private key safe, for example in a production key vault.

SAN: additional domain names

One certificate can cover mutiple domains in addition to the CN above by using Subject Alternate Names (SAN). SANs are half the price of a full certificate so they should be used whenever and wherever possible.

Digicert allows adding SANs interactively during the request process.

Or prepare an openssl config file, such as this san.cnf:

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
[ req_distinguished_name ]
countryName         = GB
stateOrProvinceName = Greater Manchester
localityName        = Manchester
organizationName    = Department of Education
commonName          = additional-teaching-payment.education.gov.uk
[ req_ext ]
subjectAltName      = @alt_names
[alt_names]
DNS.1               = www.additional-teaching-payment.education.gov.uk
DNS.2               = staging.additional-teaching-payment.education.gov.uk

Then run:

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf

And confirm the answers interactively.

Request new certificate in DigiCert

  • Login to Digicert with your own account
  • Select Request a certificate then Secure Site OV
  • Paste the CSR
  • Choose coverage for 1 or 2 years
  • Add organization: Department For Education
  • Additional emails: your team email
  • Click Submit request

Request new certificate in Globalsign

  • Open Globalsign portal
  • Select Managed SSL
  • Choose Order Certificate from either Department for Education or Education & Skills Funding Agency
  • Paste the CSR created above
  • Check this CSR, Continue
  • Products: OrganizationSSL
  • SSL Certificate Type: Single Domain Certificate
  • Point of contact must have a team email email address, not an individual
  • Tick box Is this the Point of Contact for communications?
  • Continue until Complete

The Platform support team will receive the request, validate and you will receive an email with the certificate in PEM (.cer) format.

Convert to pfx format

It may be required to convert to pfx format, especially in Azure. It replaces pem certificate+private key with pfx certificate+password.

Using openssl:

openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in cert.cer

Automatic via key vault

Azure key vault can generate, renew and store the certificate automatically.

Key vault account

A special “Key vault account” is required and must be approved on case by case basis. It can be requested via the Non-standard / Any Other Request service portal form. The business service is Shared IT core services and the offering is SSL Certificate Authority Systems (external).

Digicert CA

  • If you don’t have an API key, first login to Digicert with the Key vault account
  • Click on API keys then Add API key
  • Add a description
  • API key restrictions: orders
  • Click Add API key and keep note of the key. Ideally store it in a production Key vault secret.

In Key vault, click on Certificates, then Certificate Authorities, then +:

  • Provider: Digicert
  • Account ID: Cert central account number 1446606
  • Account Password: API key as above
  • Organization ID: CertCentral Department For Education Organization ID: 877555

Globalsign CA

In Key vault, click on Certificates, then Certificate Authorities, then +:

  • Provider: Globalsign
  • Account ID: Key vault account username
  • Account Password: Key vault account password
  • E-mail of Administrator: The contact details should be for a team, not an individual

Create certificate

  • Create a certificate

    • Method: Generate
    • Name: Unique name (usually the subdomain)
    • Type of CA: integrated
    • CA: the CA created above
    • Subject (example):
    C=GB, ST=Greater Manchester, L=Manchester, O=Department for Education, CN=claim-additional-teaching-payment.service.gov.uk
    
    • DNS Names: list of additional domain names (SANs) to be covered by this certificate
    • Validity: 12 months
    • Content type: PKCS #12
    • Lifetime action type: Automatically renew at a given number of days before expiry
    • Number of days: 30
  • Click Create

  • Click Certificate Operation and wait for result

For Digicert, you must provide a team email as additional contact. This can only be done on the website:

  • Login as the Key Vault account
  • Click on Requests, click on the certificate, click on the order number
  • Under Additional email recipients click Add email
  • Enter the email and save

Renewals

The certificates are monitored and owners are notified via email before expiry by either the provider or the Platform support team. If Key vault automated renewal is configured, this can be ignored.

Azure Front Door (AFD) Renewal

AFD should automatically renew SSL certificates, however there are times this process may get stuck.

  • Login the azure portal
  • Submit a PIM request
  • Go to the associated AFD
  • Go to domains section
  • For the domain name, under ‘Validate State’ you’ll see ‘pending’. Note that the certificate type should be ‘AFD Managed’
  • Regenerate the TXT records, this may take several attempts.
  • Then click ‘update’ to update the ‘DNS record status’ which should show up after ‘regenerate’
  • It will take approximately 5 mins to process.
  • Confirm that the _dnsauth record for the entry has been updated in the DNS zone.
  • Check statuscake, you should see that the certificate is updated. You may need to do a forced test.

Check certificate

In order to view certificate expiry details such as expiry date, etc., you can run the following command to download the certificate currently being used on a website. In this example, we are focusing on https://find-postgraduate-teacher-training.education.gov.uk :

echo -n | openssl s_client -connect find-postgraduate-teacher-training.education.gov.uk:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certoutput.cert

Once downloaded, you can run:

openssl x509 -in certoutput.cert -text