NHSEngland.nhs.uk

G2 Certificate Technical Implementation

If your system functions exclusively as a client (eg. DBS/MESH), the update of CA certificates will take place at the point of your next certificate renewal which NHS England (formerly Digital) aim to complete by the end of 2023 in order to avoid a large number of renewals when the outgoing PKI expires and service is impacted.

There are very few instances in which a system may function purely as a server without the use of mutual TLS. If you feel your system falls into this category please email dir@nhs.net to discuss.

A large number of end points (eg. sync and async Spine-connected systems) will act as both a client and a server depending upon the business operation and will need to support mutual TLS for the new G2 PKI in the same way they currently support it for the outgoing PKI. In other words, in addition to presenting a G2 certificate to clients, they must also accept G2 certificates from other clients. Some implementations may be based around a common trust store, however others may have separate trust stores depending upon whether they are the client or the server in any given transaction.

In the server context, an example implementation might involve installing the G2 root and subordinate CA certificates to the computer accounts Trusted Root and Intermediate CA stores respectively.

When a server requests a client certificate to complete the mutual TLS handshake, it will need to specify that it accepts certificates issued by both the outgoing NHS Level 1C authority, and the new NHS Authentication G2 authority.

The implementation of G2 server certificates on national systems such as Spine is expected to be the final stage of transition which confers the largest amount of time available to migrate the current messaging estate without impacting service.

The required CA certificates can be retrieved from the following locations:

NHS Root Authority G2 (Trusted Root)
https://pki.nhs.uk/live/G2/root/NHSRootAuthorityG2.crt

NHS Authentication G2 (Intermediate/Subordinate)
https://pki.nhs.uk/live/G2/auth/NHSauthG2.crt

NHS Signing G2 (Intermediate/Subordinate - only required for dispensing systems but included for completeness)
https://pki.nhs.uk/live/G2/sign/NHSsignG2.crt

If you have questions regarding any of the above please email dir@nhs.net. If your question relates to a specific system please include your organisations nhsidcode, software version and system supplier details where possible.


Guides for some general operations

How to import certificates into a Java keystore

How to import certificates into Windows CAPI / Trust store

How to verify your server will trust certificates from the NHS G2 PKI


Additional Certificate Formats

The links above provide the new G2 certificates as a binary file commonly referred to as DER format. To assist users we provide the same certificates in Base-64 encoded X.509 ASCII commonly referred to as PEM format below.

NHS Root Authority G2 (Trusted Root)
NHS Root Authority G2.crt

NHS Authentication G2 (Intermediate/Subordinate)
NHS Authentication G2.crt

NHS Signing G2 (Intermediate/Subordinate)
NHS Signing G2.crt


Certificates for Testing

The following links provide the new G2 certificates for the PTL INT(Integration) environment which suppliers are encouraged to use to test their deployment process.

NHS INT Root Authority G2 (Trusted Root)
NHS INT Root Authority G2.crt

NHS INT Authentication G2 (Intermediate/Subordinate)
NHS INT Authentication G2.crt

NHS INT Signing G2 (Intermediate/Subordinate)
NHS INT Signing G2.crt

Please Note: Other PTL environments do not yet have a G2 Authority due to the current CA lifespan. They will be updated in due course to maintain consistency across environments