Skip to main content
Last updated: 26 Apr 2023

Renew a TLS certificate for GOV.UK

Renewing the certificate for

The TLS certificate for is managed by Fastly. Fastly will open a support ticket when the certificate is due for renewal. This ticket will be picked up by GOV.UK Platform Engineering, who will co-ordinate with Fastly to renew the certificate.

Note that the certificate is not visible anywhere in the Fastly user interface. It is managed entirely through Fastly support.

Renewing the certificate may require a TXT record on the top level domain. This is because the certificate contains a Subject Alternate Name (SAN) of DNS: This TXT record needs to be requested through JISC following the process for DNS for the top level domain.

Credentials for the Fastly Zendesk support site are in the Technical 2nd Line password store.

Renewing wildcard certificates

Wilcard certificates for *, * and * are managed by AWS ACM.

For AWS ACM to issue a certificate, you must prove ownership of the domain using DNS. DNS for is managed through govuk-dns.

AWS ACM will provide a CNAME record for you to set, which you must add to govuk-dns-config. See govuk-dns-config#398 for an example.

Once you have deployed this DNS record, AWS should issue the certificate.

So long as the DNS record remains in place AWS can renew these certificates automatically. You shouldn’t need to do anything unless something goes wrong.

Renewing Gandi certificates for third party services

Some certificates are still issued through Gandi (for example

If you need to renew one of these, first consider whether it could be issued automatically using Fastly or AWS ACM (if the service is hosted on either, the answer is probably “yes”).

If you decide that renewing the certificate is the best available option, follow this process:

  1. Generate a Certificate Signing Request (CSR) for a renewal.
  2. Log into Gandi using the credentials in the infra password store.
  3. Go to the account dashboard and find the list of TLS certificates on the account.
  4. Find the certificate you wish to renew and click Renew.
  5. Go through the steps on the renewal form until you reach a page requesting a Certificate Signing Request.
  6. Upload the CSR to Gandi by pasting the contents of the .csr file into the text box.
  7. Next, choose DNS validation to validate it and follow the instructions to add the relevant DNS records.
  8. Pay for it - we don’t have a stored payment method, so find the person with the GDS credit card. Or raise a request for temporary credit card details from PMO by sending an email to
  9. Add the Certificate, Private Key, Certificate Signing Request and Intermediate Certificate to the 2ndline pass store under the certificates directory.
  10. Import the certificate to the relevant infrastructure