Updating NHS Public Key Infrastructure certificates
All health and social care organisations connecting to the NHS Spine must have a valid NHS Public Key Infrastructure (PKI) certificate in place to ensure encrypted patient data is transmitted securely.
First generation (G1) certificates are expiring in 2024.
All certificates should be updated to the second generation (G2) certificates by 2 May 2024 to avoid any loss of service.
NHS England will be making changes to our internal services week commencing 6 May 2024, where spine and associated services will only be accepting and issuing on the G2 certificates. If you have not made the required changes, you will lose service.
Information about how to do this is available below.
What is a Public Key Infrastructure and why it is important
A Public Key Infrastructure (PKI) is an essential part of the UK’s digital infrastructure. It enables secure communication over the internet using public key cryptography. This involves the use of a pair of keys: a public key and a private key.
We use a Public Key Infrastructure in the NHS. It provides digital certificates to people and systems needing to authenticate to the NHS Spine. Without a valid certificate, access to the Spine is denied.
Updating certificates and who can do this
Current NHS Public Key Infrastructure first generation (G1) certificates are due to expire on 4 June 2024. This affects all care settings that use the Spine including primary care, secondary care, urgent and emergency care, and social care.
If you are a supplier of healthcare technology, you are expected to install second-generation (G2) certificates on behalf of your customers that use the Spine to deliver NHS services.
If you are an NHS trust and you operate your own Spine-connected IT systems, such as clients for Message Exchange for Social Care and Health (MESH) and the Demographics Batch Service (DBS) you are expected to update your certificates locally.
However, the Interoperability Toolkit (ITK) end points for NHS 111 services are not yet ready to be updated - please do not renew until you receive further communication. You may wish to make your IT department aware so that they can begin to prepare for these important changes.
If you are an urgent and emergency care IT system supplier and you support provider organisations with peer-to-peer messaging, we expect you to update certificate trust stores and install valid digital certificates. You may wish to make your IT department aware so that they can begin to prepare for these important changes.
We recommend certificates are updated as soon as possible and before 31 December 2023. After 4 June 2024, any organisation with an invalid certificate will no longer be seen as a trusted entity. Their access to the Spine and its associated services will not be permitted. This could impact the delivery of healthcare services.
What healthcare technology suppliers can do now
- Install a new G2 issuer certificate to your trust stores alongside any instances of the existing NHS Level 1C and NHS Root Authority
- Renew your NHS system certificate using the standard process
- Reconfigure your web server component to accept certificates from the G2 PKI in addition to the existing NHS PKI if applicable
- Rebuild any trust store or key store for MESH and DBS clients so that it contains both current G1 and G2 issuer certificates, and your new G2 MESH/DBS certificate
- Test the updates using the NHS Digital Path to Live integration environment
Applies to non-ITK endpoints only.
- Install a new G2 issuer certificate to your trust stores of existing message handlers alongside any instances of the existing NHS Level 1C and NHS Root Authority. This may require certificates to be installed in multiple locations depending on each organisation’s local set-up.
- Renew your NHS system certificate using the standard process.
- Reconfigure your web server component to accept certificates from the G2 PKI in addition to the existing NHS PKI if applicable.
- Rebuild any trust store or key store for MESH and DBS clients so that it contains both current G1 and G2 issuer certificates, and your new G2 MESH/DBS certificate.
- Ensure a valid digital G2 certificate is in place which has been issued by a trusted certificate authority (CA) that meets NHS standards.
- Test the updates using the NHS Digital Path to Live integration environment.
Applies to non-ITK endpoints only.
What urgent and emergency care providers can do now
This applies to NHS trusts and urgent and emergency care providers using the Interoperability Toolkit (ITK) end points to send and receive NHS 111 messages.
All ITK 111 messaging endpoints should be configured and tested to accept G2 certificates by 31 December 2023. No G2 client certificates can be used until we are sure all endpoints can trust G2 certificates.
This will allow suitable time for new certificates to be issued, plus follow-on work and troubleshooting needed before the June expiration date.
Addressing the issue within urgent and emergency care is particularly important, as critical messaging functionality will fail if action is not taken in time.
- Install a new G2 issuer certificate to your trust stores alongside any instances of the existing NHS Level 1C and NHS Root Authority.
- Reconfigure your web server component to accept certificates from the G2 PKI in addition to the existing NHS PKI.
- Test the updates by contacting the PKI Migration mailbox
Testing
The NHS Digital Path to Live integration environment is available now for suppliers of healthcare technology, NHS trusts, and urgent and emergency care providers if they wish to test the updates before they implement these changes.
Contact us
For further support or if you have any queries, please contact [email protected].
Useful resources
Last edited: 1 May 2024 2:54 pm