Renew a TLS certificate for GOV.UK
Renewing the certificate for www.gov.uk
The TLS certificate for www.gov.uk is managed by Fastly. Fastly will open a support ticket when the certificate is due for renewal. This ticket will be picked up by GOV.UK Platform Engineering, who will co-ordinate with Fastly to renew the certificate.
Note that the www.gov.uk certificate is not visible anywhere in the Fastly user interface. It is managed entirely through Fastly support.
Renewing the certificate may require a TXT record on the gov.uk top level
domain. This is because the certificate contains a Subject Alternate Name (SAN)
of DNS: gov.uk. This TXT record needs to be requested through JISC following
the process for DNS for the gov.uk top level domain.
Credentials for the Fastly Zendesk support site are in the Technical 2nd Line password store.
Renewing wildcard certificates
Wilcard certificates for *.publishing.service.gov.uk, *.staging.publishing.service.gov.uk
and *.integration.publishing.service.gov.uk are managed by AWS ACM.
For AWS ACM to issue a certificate, you must prove ownership of the domain using DNS. DNS for publishing.service.gov.uk is managed through govuk-dns.
AWS ACM will provide a CNAME record for you to set, which you must add to govuk-dns-config. See govuk-dns-config#398 for an example.
Once you have deployed this DNS record, AWS should issue the certificate.
So long as the DNS record remains in place AWS can renew these certificates automatically. You shouldn’t need to do anything unless something goes wrong.
Renewing Gandi certificates for third party services
Some certificates are still issued through Gandi (for example signup.take-part-in-research.service.gov.uk).
If you need to renew one of these, first consider whether it could be issued automatically using Fastly or AWS ACM (if the service is hosted on either, the answer is probably “yes”).
If you decide that renewing the certificate is the best available option, follow this process:
- Generate a Certificate Signing Request (CSR) for a renewal.
- Log into Gandi using the credentials in the infra password store.
- Go to the account dashboard and find the list of TLS certificates on the account.
- Find the certificate you wish to renew and click Renew.
- Go through the steps on the renewal form until you reach a page requesting a Certificate Signing Request.
- Upload the CSR to Gandi by pasting the contents of the .csr file into the text box.
- Next, choose DNS validation to validate it and follow the instructions to add the relevant DNS records.
- Pay for it - we don’t have a stored payment method, so find the person with the GDS credit card. Or raise a request for temporary credit card details from PMO by sending an email to pmo@digital.cabinet-office.gov.uk.
- Add the Certificate, Private Key, Certificate Signing Request and Intermediate Certificate
to the
2ndlinepass store under thecertificatesdirectory. - Import the certificate to the relevant infrastructure