Renew a TLS certificate for GOV.UK
This document covers how to renew wildcard TLS certificates for
*.integration.publishing.service.gov.uk. It is a task performed by Reliability Engineering.
Credentials for the Fastly dashboard and Zendesk support sites are in the 2nd line password store.
- Log into Gandi using the credentials in the infra password store.
- Go to the account dashboard and find the list of TLS certificates on the account.
- Find the certificate you wish to renew and click Renew. You need to
request a wildcard certificate (for example,
- Go through the steps on the renewal form until you reach a page requesting a Certificate Signing Request.
- Generate a Certificate Signing Request (CSR) for a renewal.
- Upload the CSR to Gandi by pasting the contents of the .csr file into the text box.
- Next, choose DNS validation to validate it and follow the instructions to add the relevant DNS records.
- Pay for it - we don’t have a stored payment method, so find the person with the GOV.UK credit card.
- Once the certificate has been renewed, paste the contents of the resulting .crt file into Puppet hiera data for the relevant environment in the govuk-secrets repository.
- Deploy Puppet to update the certificate in the relevant environment.
- For staging and integration only: Use Fastly’s TLS Uploader to upload the newly generated certificate and private key. You need to split the contents of the .crt file into the first certificate (the actual certificate you’ve just renewed) and everything else (the certificate chain) and upload these as separate files.
- For staging and integration only: Make a note of the reference ID returned by the TLS Uploader. Open a new ticket with Fastly support quoting the reference ID and the service ID for the Fastly service the certificate is for (such as for “Staging GOV.UK”) and asking them to make the certificate live. This process may take up to a week.