Versions Compared

Version Old Version 1 New Version 2
Changes made by

Tim Whitlock

Tim Whitlock

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added information on how to generate new CSR for certificate creation for DBS service

...

Issues occur when the scheduled jobs stop or less frequently the DBS certificate expires. This last happened in October 2020 and the not from NHS digital said "Normally these certificates expire after 3 years, but due to the sub CA expiring early so will this one , on the 27th June 2022"

Expand
titleCertifcate Instructions Supplied by NHSDigital for renewal

Organisation ASID: 834424843011
Organisation ID: RVJ
Organisation Name: NORTH BRISTOL NHS TRUST
FQDN: dbs-RVJ.nbt.nhs.uk

You can download the client (not required for certificate renewal) and associated documentation from http://nww.hscic.gov.uk/demographics/dbs/guidance

As this is a certificate renewal, you will need to backup the keystore to a different location (just in case) and then delete everything in the keystore directory apart from the root and newsubCA files, then as per section 5.3 of the installation guide you will need to run the following command, from the command prompt, whilst in the [DBS2_APP_HOME] directory, you can copy and paste it into the command prompt as we have pre-filled it for you:

keystore-tool.bat Generate_CSR dbs-RVJ.nbt.nhs.uk EDT.csr

This will create the certificate signing request in the [DBS2_APP_HOME]\keystore directory as EDT.csr. Please send the EDT.CSR file to the DIR team (DIR@nhs.net) and include your ODS (site code) with the subject heading of DBS certificate renewal. We will then return a certificate which should be saved to the [DBS2_APP_HOME]\keystore directory with a name of servercert.cer

You can then run the 3 import commands as per the guide, again whilst in the root of the [DBS2_APP_HOME] directory, please note that they must be run in the order below:-

1) keystore-tool.bat Import_CA_Cert rootca.der ca_cert

2) keystore-tool.bat Import_CA_Cert newsubca.der subca_cert

3) keystore-tool.bat Import_Signed_Cert servercert.cer


If you wish to re-download the Root and SubCA certificates, rather than re-use them please note that the link for the root and subCA certificates in the installation guide is no longer valid, please use https://esw.national.ncrs.nhs.uk/esw/ (Please include the final / after the esw or it will fail). The install SUBCA link will download a file called subca.der, this needs renaming to newsubca.der before running the import commands. If using Internet explorer please note that it sometimes save the certificates with a CER extension rather than DER, before running the import commands please ensure that the both the RootCA and NewSubca have the DER extension whilst the Servercert has the CER extension.


Documentation on the software used can be found here http://nww.hscic.gov.uk/demographics/dbs/guidance/ 

...