NHS Public Key Infrastructure - G2 Certificate Technical Implementation

First generation (G1) certificates are expiring in 2024.

All certificates should be updated to the second generation (G2) certificates by 2 May 2024 to avoid any loss of service.

NHS England will be making changes to our internal services week commencing 6 May 2024, where spine and associated services will only be accepting and issuing on the G2 certificates. If you have not made the required changes, you will lose service.

Information about how to do this is available below.

Systems acting as a client

If your system functions exclusively as a client, such as Message Exchange for Social Care and Health (MESH) and the Demographics Batch Service (DBS), the update of certificates issued by the certificate authority (CA) will need to be renewed by 31 December 2023.

This deadline is to avoid large numbers of renewals when outgoing certificates expire, potentially leading to impacts on services.

There are very few instances in which a system may function purely as a server without the use of mutual Transport Layer Security (TLS).

If you feel your system falls into this category, please email [email protected] to discuss.

Systems acting as client and server

Many end points (such as synchronous and asynchronous Spine-connected systems) act as both a client and a server depending upon the business operation. These need to support mutual TLS for the new G2 certificate in the same way they support it for current NHS PKI.

In addition to presenting a G2 certificate to clients, they must also accept G2 certificates from other clients.

Systems using a common or shared trust store

Some implementations may be based around a common trust store. However, others may have separate trust stores depending upon whether they are the client or the server in any given transaction.

In the server context, an example implementation might involve installing the G2 root and subordinate CA certificates to the computer accounts Trusted Root and Intermediate CA stores respectively.

When a server requests a client certificate to complete the mutual TLS handshake, it will need to specify that it accepts certificates issued by both the outgoing NHS Level 1C authority, and the new NHS Authentication G2 authority.

Certificate downloads

Certificate Authority certificates

The required Certificate Authority (CA) certificates (.crt format) can be downloaded from the following locations:

NHS Root Authority G2 (Trusted Root)
NHS Authentication G2 (Intermediate/Subordinate)
NHS Signing G2 (Intermediate/Subordinate – only required for dispensing systems but included for completeness

If you have questions regarding any of the above, please email [email protected]. If your question relates to a specific system, please include your organisation’s nhsidcode, software version and system supplier details where possible.

Additional certificate formats

The links above provide the new G2 certificates as a .crt binary file commonly referred to as DER format. To assist users, we provide the same certificates in Base-64 encoded X.509 ASCII commonly referred to as PEM format below.

Certificates for testing

The following links provide the new G2 certificates (.crt format) for the NHS Path to Live Environment (PTL), which suppliers are encouraged to use to test their deployment process.

Other PTL environments do not yet have a G2 Authority due to the current CA lifespan. They will be updated in due course to maintain consistency across environments.

Useful resources

Guides for general operations

ARTICLE

How to import a trusted certificate into a Java keystore

A example of how to add the new G2 Root Authority certificates into an existing Java keystore so that your application will trust a G2 certificate presented by spine when your system initiates a connection.

ARTICLE

Microsoft IIS Mutual TLS

Add mandatory client certificate authentication if you have a working IIS installation with SSL/TLS enabled.

ARTICLE

How to verify your server will accept G2 certifcates

Check that you message handler will accept client certificates issued by the new G2 Certificate Authority. This test will enable you to verify that incoming connections to your message handler from external entities such as spine will be accepted.

Other online information

ARTICLE

Updating NHS Public Key Infrastructure certificates

All health and social care organisations connecting to the NHS Spine must have a valid NHS Public Key Infrastructure (PKI) certificate in place to ensure encrypted patient data is transmitted securely. First generation (G1) certificates are expiring in 2024. All certificates should be updated to the second generation (G2) certificates by 2nd May 2024 to avoid any loss of service. NHS E will be making changes to their internal services week commencing the 6th May where spine and associated services will only be accepting and issuing on the G2 certificates. If you have not made the required changes, you will lose service.

ARTICLE

NHS Public Key Infrastructure Root Certificate Authority information

Find out information about Public Key Infrastructure (PKI) used to confirm and issue digital certificates to healthcare IT systems and users across the NHS.

ARTICLE

Public Key Infrastructure documentation

The Certificate Policy and PKI Disclosure Statement for the NHS Root Certificate Authority (CA) make up the complete policy under which the NHS Root CA is operated.

ARTICLE

Spine

Spine supports the IT infrastructure for health and social care in England, Wales and Isle of Man, joining together over 44,000 healthcare IT systems in 26,000 organisations.

Contact us

For further advice, please email [email protected].

Last edited: 3 May 2024 9:17 am