We rotate the GovWifi certificate every year.
The actual rotation is handled by the SREs (Site Reliablity Engineers).
How To Purchase A New Certificate
In depth information on how to purchase new certificates, generate keys and validate the certificate files can be found here. The document contains sensitive information, so you will need to be a verfied member of GovWifi team in order to access it.
How To Rotate The Certificates On The Radius Servers
You will need to renew the certificate with our provider (currently this is Digicert see the previous section for instructions on how to do this). Once you have the new certificate files upload them to this location under their appropriate environments.
To copy the new certificate files to the GovWifi Radius servers you will need to run the Codebuild “sync-certs” job the code for which is found here: https://github.com/alphagov/govwifi-terraform/tree/master/govwifi-sync-certs
The job takes the encrypted certificate files which are currently stored here and copies them to an S3 bucket starting with the prefix “frontend-cert-”. When the Radius ECS tasks start up, they copy the certificate files directly from S3.
To run the sync certs job follow the instructions below:
- Log into the AWS account that contains the Radius servers that you are updating.
- Ensure you are either in the London (eu-west-2) or Ireland (eu-west-1) regions.
- Click this link to take you to the “Codebuild” section.
- Search for the term “sync-certs” under “Build projects” and select the “govwifi-codebuild-sync-certs” project.
- Click the “Start Build” button.
- Wait for the job to finish running.
- After it succeeds, restart the Radius severs in that region so they can pick up the newly uploaded certificate.
- Run the smoke-tests (full instructions on how to do this can be found here )
- Repeat this process in the other region, if you wish to release the new certificates there.
A separate sync-cert job exists for our two GovWifi regions (eu-west-1 and eu-west-2). This allows us to test the effects of a certificate change in one region only, and is very useful for network administrations when they are testing their configurations.
Update the product pages
When the rotation is done, we need to update the following things.
The product pages mention the certificate GovWifi uses in text and screenshots.
You can find and update this content in the product pages repo on Github.
Update the email template
When new end users sign up, they receive an email. The email includes certificate details like the issuer and thumbprint.
You can find and update the template in Notify.