Renew a TLS certificate for GOV.UK
This document covers how to renew wildcard TLS certificates for
*.integration.publishing.service.gov.uk. It is a task performed
by Reliability Engineering.
Credentials for the Fastly dashboard and Zendesk support sites are in the 2nd line password store.
- Generate a Certificate Signing Request (CSR) for a renewal.
- Log into Gandi using the credentials in the infra password store.
- Go to the account dashboard and find the list of TLS certificates on the account.
- Find the certificate you wish to renew and click Renew. You need to
request a wildcard certificate (for example,
- Go through the steps on the renewal form until you reach a page requesting a Certificate Signing Request.
- Upload the CSR to Gandi by pasting the contents of the .csr file into the text box.
- Next, choose DNS validation to validate it and follow the instructions to add the relevant DNS records.
- Pay for it - we don't have a stored payment method, so find the person with the GDS credit card. Or raise a request for temporary credit card details from PMO by sending an email to email@example.com.
- Once the certificate has been renewed, paste the contents of the resulting .crt file into Puppet hieradata for the relevant environment in the govuk-secrets repository.
- Deploy Puppet to update the certificate in the relevant environment.
- Import the certificate to AWS ACM. Login to the AWS console in the appropriate environment and follow the instructions here. The chain cert is the second certificate under "wildcard_publishing_certificate" in govuk-secrets.
- For staging and integration only: Go to the Fastly interface and then to Configure -> HTTPS and network. Go to TLS certificates and upload your new cert. (You do not need to do this for production because we use a different certificate there)
- For staging and integration only: In TLS domains click on more details and then select your new certificate under CERTIFICATE BEING USED.