Create Manual SSL Certificate Processes
Overview
These processes are for any Ministry of Justice users (or suppliers) requiring an SSL Certificate.
There are 3 categories of certificate we use at Ministry of Justice:
- AWS Certificate Manager (ACM)/Let’s Encrypt - automated certificate management for modern cloud native software and infrastructure
- Gandi.net - where automated certificate management is not possible
Where at all practicable we should be looking to utilise automated certificate management. The MoJ Hosting Service is looking at strategies to move consumers to modern certificate management solutions.
This process specifically relates to certificates issued through Gandi.net
Tips and Need-to-knows
We are not responsible for any HMCTS owned certificates. These are typically domains in the format <application>.<environment>.hmcts.net
or <application>.<environment>.cjscp.org.uk
. For these no action is required. The contact for these certificates is the HMCTS Domains Team. That Team has access to all the shared mailboxes and gets all the same notifications for renewals.
Other teams have their own AWS Route53 accounts. These are HMCTS (hmcts.net + cjscp.org.uk) at DTSOpsConfMan@Justice.gov.uk, LAA (legalservices.gov.uk), OPG, more to be confirmed. Either the other team or our team will renew the Gandi certificate. If we do, send the CNAME validation details to the relevant team. If the other team does it they have their own Gandi process or use AWS ACM auto renewal process.
To confirm if we manage a domain, check whether the subdomain record exists in AWS as a delegation i.e. a Nameserver(NS) type record. If one exists there is a high likelihood that the management of the domain is managed by another team. For example if it states Azure that is definitely another team. Details of who manages the domain can be found in the history in the Certificates Google Group.
Try the command ‘dig -t NS
In the email ‘Re: SSL Cert query’ within the Certificates Google Group is a list of the domains that the HMCTS are responsible for.
In Gandi the SSL certs that are “No longer valid - To reissue” require a Gandi support request to remove them.
There is an operations-engineering script that runs on the first day of the month that will delete the Gandi related CNAME records from the AWS account. Be wary of this if doing a CNAME validation around that time of the month.
CNAME’s we do not process
This file is a list of SSL Certificates where the CNAME should be sent to the author of the CSR to add to their DNS systems. Gandi will generate the SSL Certificate once the CNAME validation is completed. The list will require maintenance to keep it updated with new and removed SSL Certificates where we do not carry out the CNAME validation.
Pre-requisites
Before you begin, there are a few prerequisites:
- A user account for Gandi.net
- Access to the Certificates Google group
https://groups.google.com/a/digital.justice.gov.uk/g/certificates?hl=en-GB
- Access to the Certificate Alerts Google group
- Access to Route53 in the MoJDSD AWS account
Please contact your administrator to set these up.
Requesting a new certificate via Gandi.net
Users need to complete the MoJ Hosting Service SSL Certificate Request Form and return it with the Certificate Signing Request (CSR) (and an authority email approval if not an MoJ employee e.g. 3rd party supplier) to certificates@digital.justice.gov.uk.
When the form is received, check to see if the certificate already exists in the Gandi.net portal. Sometimes requesters mix up new certs and renewals. If this is a renewal see the renewal steps in this runbook.
When the form is received, check to see if the domain associated with the request is managed in Route53 in the MoJDSD AWS account. If not, the validation step in the process will need to be carried out by the team that manages the domain. You will need to check with the requester how the 3rd party wants to carry out validation. There are 3 types of validation.
Login to Gandi.net. Go to the SSL Certificates page. To start the process click on the “Buy” button.
For the question
Where will you install your certificate?
selectSomewhere else
and then click “Next”.For the question
What type of certificate do you want?
selectStandard
.
Note - We only offer “Standard” type certificates as part of our service.
- For the question
What do you want to protect?
select the appropriate option for the request, then click “Next”. Generally we select Single address type unless multiple SAN names are provided within the CSR, if so pick Multi address type. Occassionaly a request will be for a full domain or wildcard, if so pick the Full domain type.
Note - If the request is for 9 or more addresses it may be better to request a wildcard certificate. Discuss with the requester on the best approach. If a wildcard is the best option the requester will need to supply a fresh wildcard CSR.
- Paste the CSR text into the
CSR
box. Then click “Next”.
Remember to copy the entire contents of the .csr file, including the lines containing -----BEGIN CERTIFICATE REQUEST-----
and -----END CERTIFICATE REQUEST-----
. If there are any issues with the validity of the CSR file you will be notified at this stage. These will need to be rectified before you can proceed. Abandon the process and start again with a new CSR.
If SSL certificate is a Multi address type, after copying in the CSR contents, you have to manually add the SAN names from the request form into Gandi, it does not automatically extract the information from the CSR.
Complete the checkout process. Ensure that when you get to the payment options section that you select
Pre-paid account
for the payment method.If creation has been successful two emails will be sent to the Certificate Alerts Google group. An invoice (which can be ignored), and a Validation email. Click on the link in the validation email to obtain CNAME details that will need to be added in the Hosted Zone in Route53.
Create the CNAME record in Route53 via DNS repository. Gandi.net will automatically try to pick up this CNAME to confirm that we have ownership of the domain.
Note - Any preceding “_” or trailing “.” characters in the CNAME values are extremely important for validation. Missing characters will mean that validation will not be successful.
If SSL certificate is a Multi address type, then multiple CNAME’s will be provided and need to be added to AWS
When validation is complete an email will be sent to the Certificate Alerts Google group. Click on the link in the email to visit Gandi.net and download the new certificate.
Email the certificate to the requester along with details of the expiry date, and the Gandi.net intermediate certificate (which is required for all new certificates issued after 23rd August 2023). All certificates are valid for 12 months.
Renewing an expiring certificate via Gandi.net
We will review the list of Gandi.net certificates and identify any that require renewal 4 weeks prior to expiry (we also get a notification to Certificate Alerts 29 and 14 days prior to expiry).
Email reminders requesting new CSRs for Gandi.net certificates are automatically sent out via the Operations Engineering Certificate Renewal repository to the appropriate recipients 30 days before expiry. For more information on how the email addresses are determined and how to edit them, please refer to the Configuring the Certificate Mappings File runbook.
If a reply is recieved for one of the automated emails, follow the Renewal Process. The renewal process is almost exactly the same as the new certificate request process i.e. all the email notifications and validation steps are the same.
When validation is complete an email will be sent to the Certificate Alerts Google group. Click on the link in the email to visit Gandi.net and download the renewed certificate.
Email the certificate to the requester along with details of the new expiry date, and the Gandi.net intermediate certificate (which is required for all new certificates issued after 23rd August 2023). All certificates are valid for 12 months.
There is also a comprehensive swimlane diagram of this process. To view it, you will need access to the relevant google drive.
Revoking Gandi.net certificates
Certificates will expire automatically if not renewed. If a certificate doesn’t require renewal you can leave the certificate to expire and no further action is required. You’ll receive a notification to the Certificate Alerts confirming expiry.
If a certificate needs to be revoked before the expiry date then this can be done via Gandi.net.
Note that once a certificate has expired or been revoked it cannot be reinstated. If a certificate is required the process to request a new certificate should be followed. If the certificate is being allowed to expire or revoked, it may also mean that the domain can be decommissioned in line with our domain decommissioning process (TBD).
Regenerating Certificates
There may be times when we need to regenerate a certificate due to an issue with the original CSRs that were sent over (for example, if the CSRs were sent over with the wrong level of encryption).
Note that this is a different process from renewing a certificate.
To regenerate a certificate:
Request new CSRs from the users who fulfilled the original request.
On Gandi, select the domain name we need to regenerate the certificate for and select the option to ‘Regenerate’.
Once confirmed, an email will be sent to certificates@digital.justice.gov.uk. Click the link in the email to open up the Certificate Overview (or navigate to this page via Gandi).
Next, edit the authentication method and change it from ‘Email Authentication’ to ‘DNS Authentication’.
From here you will have to repeat the original authentication method either by creating the CNAMEs in the appropriate Hosted Zone on Route53, or by forwarding the information onto the team that owns the respective Hosted Zone.
Once activated, you’ll be able to download and forward the certificates to the user as per the usual process.
Costs/Funding information
The costs for Gandi.net certificates are met centrally by Platforms & Architecture. There is no cross charge.
MoJ has a prepaid account with Gandi.net for paying for certificates.
If the account runs low a notification is sent to Certificate Alerts. If that happens speak to the Product Manager who will engage with the Demand Team to arrange additional funds.