Renew a TLS certificate for GOV.UK
This document covers how to renew wildcard TLS certificates for
*.integration.publishing.service.gov.uk. It is a task performed
by Reliability Engineering.
Credentials for the Fastly dashboard and Zendesk support sites are in the 2nd line password store.
- Log into Gandi using the credentials in the infra password store.
- Go to the account dashboard and find the list of TLS certificates on the account.
- Find the certificate you wish to renew and click Renew. You need to
request a wildcard certificate (for example,
- Go through the steps on the renewal form until you reach a page requesting a Certificate Signing Request.
- Generate a Certificate Signing Request (CSR) for a renewal.
- Upload the CSR to Gandi by pasting the contents of the .csr file into the text box.
- Next, choose DNS validation to validate it and follow the instructions to add the relevant DNS records.
- Pay for it - we don’t have a stored payment method, so find the person with the GDS credit card.
- Once the certificate has been renewed, paste the contents of the resulting .crt file into Puppet hiera data for the relevant environment in the govuk-secrets repository.
- Deploy Puppet to update the certificate in the relevant environment.
- For staging and integration only: Go to the Fastly interface and then to Configure -> HTTPS and network. Go to TLS certificates and upload your new cert.
- For staging and integration only: In TLS domains click on more details and then select your new certificate under CERTIFICATE BEING USED.