Once you have successfully imported the new G2 certificates into the trust store of your message handler you will want to test that it will accept client certificates issued by the new G2 Certificate Authority. The following test will enable you to verify that incoming connections to your message handler from external entities such as spine will be accepted.
Replace "%Your_MHS_URL%" with the URL of your message handler or localhost if your are running it from the message handler.
Openssl is installed by default on many modern operating systems but is freely available to download if your system doesn't.
The command will initiate a connection to your Message handler so must be run from a system that has direct access via port 443 or run on the message handler itself. You can test connectivity using telnet if required to verify a socket can be opened.
The detail required is listed under Acceptable client certificate CA names. You should see the folllowing certificate authorities:
/O=NHS/OU=CA/CN=NHS Root Authority
/O=nhs/OU=CA/CN=NHS Level 1C
/C=GB/O=NHS/OU=CA/CN=NHS Root Authority G2
/C=GB/O=nhs/OU=CA/CN=NHS Authentication G2
You may see other certificate authorities in addition to the above.
Below is an example test using a connection to spines pds-sync.national.ncrs.nhs.uk. It DOES NOT currently support client certificates from G2 so they are not present in the list but will be added shortly.