Skip to main content
Last updated: 11 Jul 2021

Renew a TLS certificate for GOV.UK

Renewing the certificate for

The TLS certificate for is managed by Fastly. Fastly will open a support ticket when the certificate is due for renewal. This ticket will be picked up by GOV.UK Replatforming, who will co-ordinate with Fastly to renew the certificate.

Note that the certificate is not visible anywhere in the Fastly user interface. It is managed entirely through Fastly support.

Credentials for the Fastly Zendesk support site are in the 2nd line password store.

Renewing wildcard certificates

Wilcard certificates for *, * and * are managed by AWS ACM.

For AWS ACM to issue a certificate, you must prove ownership of the domain using DNS. DNS for is managed through govuk-dns.

AWS ACM will provide a CNAME record for you to set, which you must add to govuk-dns-config. See govuk-dns-config#398 for an example.

Once you have deployed this DNS record, AWS should issue the certificate.

So long as the DNS record remains in place AWS can renew these certificates automatically. You shouldn’t need to do anything unless something goes wrong.

Renewing Gandi certificates for third party services

Some certificates are still issued through Gandi (for example

If you need to renew one of these, first consider whether it could be issued automatically using Fastly or AWS ACM (if the service is hosted on either, the answer is probably “yes”).

If you decide that renewing the certificate is the best available option, follow this process:

  1. Generate a Certificate Signing Request (CSR) for a renewal.
  2. Log into Gandi using the credentials in the infra password store.
  3. Go to the account dashboard and find the list of TLS certificates on the account.
  4. Find the certificate you wish to renew and click Renew.
  5. Go through the steps on the renewal form until you reach a page requesting a Certificate Signing Request.
  6. Upload the CSR to Gandi by pasting the contents of the .csr file into the text box.
  7. Next, choose DNS validation to validate it and follow the instructions to add the relevant DNS records.
  8. Pay for it - we don’t have a stored payment method, so find the person with the GDS credit card. Or raise a request for temporary credit card details from PMO by sending an email to
  9. Add the Certificate, Private Key, Certificate Signing Request and Intermediate Certificate to the 2ndline pass store under the certificates directory.
  10. Import the certificate to the relevant infrastructure