SSL Certificate Management
Gandi.net SSL Certificates
Overview
This process is for any Ministry of Justice users (or suppliers) requiring a Gandi.net SSL Certificate.
There are 2 categories of certificate we use at Ministry of Justice:
- AWS Certificate Manager (ACM) / Let’s Encrypt - automated certificate management for modern cloud native software and infrastructure
- Gandi.net - where automated certificate management is not possible
Automated Certificate Management
Where at all practicable we should utilise automated certificate management.
The MoJ Hosting Service is looking at strategy to move consumers to modern certificate management solutions.
Requesting a new certificate via Gandi.net
Complete the MoJ Hosting Service SSL Certificate Request Form and return it with the Certificate Signing Request (CSR) (and an authority email approval if not an MoJ employee e.g. 3rd party supplier) to certificates@digital.justice.gov.uk.
The Operations-Engineering team do not handle any pass-phrases or keys regarding the CSR or SSL certificates. Please do not send any private keys with your request.
The Operations Engineering Team will create the new certificate and issue it, along with details of the expiry date (which will be in 12 months from date created), to the named contact provided in the request form.
When the certficate is created there is a validation step required. In most cases the Team manages the DNS so will complete this step. In instances where we do not manage a domain we will contact the requestor to assist in completing validation before the certificate can be issued.
Should you require intermediate or root certificates please contact certificates@digital.justice.gov.uk.
Renewal Process for Gandi.net SSL Certificates
Email reminders requesting new CSRs for Gandi.net certificates are automatically sent out via the Operations Engineering Certificate Renewal repository to the appropriate recipients 30 days before expiry.
The frequency of these reminders can be configured via the cert_expiry_thresholds value in the configs/production.yml configuration file.
A list of the domains we managed and their respective owners can be found in the mappings.json file located in this S3 bucket.
Once a reply is recieved, the Operations Engineering team can continue with the standard process to intiate the renewal.
Revoking Gandi.net certificates
If an SSL certificate is no longer required e.g. a service has been decommissioned please contact certificates@digital.justice.gov.uk, so that the team can revoke the certificate.
Note that once a certificate has expired or been revoked it cannot be reinstated. If a certificate is required the process to request a new certificate should be followed.
Costs/Funding information
The costs for Gandi.net certificates are met centrally by Platforms & Architecture. There is no cross charge for using this service.