Skip to main content
Table of contents

Get certificates

To use the Integration environment, you must generate self-signed certificates for your Verify Service Provider (VSP). You must generate separate self-signed certificates for:

  • encryption
  • signing

Generating self-signed certificates

Use your preferred method to generate a new private key and self-signed certificate pair.

Make sure the private key is PKCS #8 formatted and PEM encoded.

The self-signed certificate must be:

  • valid for one year
  • in X.509 format and PEM encoded

See an example
You can use OpenSSL to generate your keys and self-signed certificates. Most Linux distributions and Mac OS versions have OpenSSL installed.

Generate your private key and self-signed certificate:

openssl req -x509 -newkey rsa:2048 -days 365 -nodes -sha256 \
   -keyout <private-key>.key -out <certificate>.crt

The terminal will prompt you for information. You must provide a Common Name. All other information is optional.

The Common Name is the part of the certificate metadata that helps you identify that certificate more easily. You can use the Common Name to check you’ve uploaded the right certificate when using the GOV.UK Verify Manage certificates service.

There is no mandatory naming convention for Common Name, but it’s useful during troubleshooting if you include the:

  • name of your service
  • name of the component the certificate is for
  • environment name you generated the certificate for
  • certificate type
  • version number for your certificate

Common Name must not contain underscores.

For example, the common name could be Universal-Credit-MSA-integration-signing-01.

Storing private keys

You must store private key files in a secure environment. Typical controls include:

  • restricting private key access to approved staff
  • storing files in encrypted format
  • storing files offline, for example, on an encrypted USB memory stick kept in a safe
  • never sharing private keys outside the environment where you created them

For more information, see the guidance from the National Cyber Security Centre (NCSC).