Step 6
The DIR team will reply with the certificate.
Using notepad, save the certificate by pasting the certificate including “--- BEGIN CERTIFICATE---“ and “--- END CERTIFICATE---“ to the file c:\MESH-APPHOME\KEYSTORE\mesh.crt
Step 7
To download the Spine Root certificate, navigate to the NHS Certificate Services interface.
Right click the “view here” link beside the “View Root CA in Base-64 ASCII” and download the file as NHS_Root_Authority.txt rename this rootca.Pem and copy to the mesh keystore folder.
Save the certificate in the <MESH-APP-HOME>\keystore directory with the default name of rootca.pem
Step 8
To add the root certificate to the Keystore to create the Truststore, type the following command:
keytool -importcert -file c:\MESH-APP-HOME\KEYSTORE\rootca.pem -alias rootca -keystore c:\MESH-APP-HOME\KEYSTORE\MESH.keystore
The command will prompt for the keystore password and confirm you trust this certificate. Enter “yes” to trust the certificate.
Step 9
To download the Spine SubCA certificate, navigate to the NHS Certificate Services interface and right click the “view here” link beside the “View NHS Level 1C in Base-64 ASCII (PEM)” and download the file as NHS_Level_1C.txt rename this subca.Pem and copy to the mesh keystore folder.
Save the certificate in the <MESH-APP-HOME>\keystore directory with the default name of subca.pem.
Step 10
To add the SubCA certificate to the Keystore to create Truststore, type the following command:
keytool -importcert -file c:\MESH-APP-HOME\KEYSTORE\subca.pem -alias subca -keystore c:\MESH-APP-HOME\KEYSTORE\mesh.keystore
The command will prompt for the keystore password and confirm you trust this certificate. Enter “yes” to trust the certificate.
Step 11
To add the MESH client certificate to the Keystore, type the following command:
keytool -importcert -trustcacerts -alias meshclient -file c:\MESH-APP-HOME\KEYSTORE\mesh.crt –keystore c:\MESH-APP-HOME\KEYSTORE\MESH.keystore
The command will prompt for the keystore password and confirm you trust this certificate.
Enter “yes” to trust the certificate.
Step 12
To verify the keystore contents, type the following command and enter the password:
keytool.exe -list -keystore c:\MESH-APP-HOME\KEYSTORE\MESH.keystore
Enter keystore password:
Try the same command again but press enter instead of entering the password.
The command should list the three certificates added to the keystore, if not the keystore won't work:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
rootca, 03-May-2016, trustedCertEntry,
Certificate fingerprint (SHA1):
EC:7A:3B:3C:B7:95:EC:E9:56:C5:A7:BE:C4:20:4A:29:8F:EB:23:6C
subca, 03-May-2016, trustedCertEntry,
Certificate fingerprint (SHA1):
B0:1F:20:80:4D:DB:F5:84:E4:47:77:87:3D:1C:83:40:0C:25:6B:C3
meshclient, 03-May-2016, PrivateKeyEntry,
Certificate fingerprint (SHA1):
04:47:30:E9:67:EA:D9:F0:87:F5:AA:2C:E7:5D:CC:4C:4C:5B:93:9C
Step 13
You now have your certificate to access MESH. To continue MESH installation, please refer back to our MESH client installation guidance.
For MESH API users only
Your installation of the MESH certificate, onto systems that utilise the MESH Server API, depends on how your system is configured. This is why we recommend you have technical support for this type of MESH access.
The certificate request process is a subset of the steps performed to the process to request a MESH client certificate detailed above.
To generate the private key and the CSR to submit the National Service Desk, follow the steps above. Ensure you use a slightly different Common Name naming convention for API use: Identifier.ODScode.api.mesh-client.nhs.uk.
Your ODS code is a unique code given to all health and social care services. If not already known, it may be found via the ODS portal which requires HSCN/N3 access.
The identifier is client specific and will not be verified as part of the MESH client authentication. If this mailbox is in addition to the original mailbox on installation, we advise to check with the MESH client installer if they have a preference.
The returned email from the DIR team will comprise the certificate in PEM format. This can then be installed in the client application.
Depending on how the client system authenticates to the MESH server, the Root CA and Sub CA certificates may also need to be installed in the client application. These can be downloaded from the NHS Certificate Service website.
If the private key for the certificate is required, this can be exported from the Keystore using the following command, where the <password> is a password for the private key file:
keytool -importkeystore -srckeystore c:\MESH-APP-HOME\
KEYSTORE\MESH.keystore -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias meshclient
The command will prompt for the password for the output file and the Keystore password.
The format of the private key can be converted to PEM format using the openssl command:
openssl pkcs12 -in keystore.p12 -nokeys -out cert.pem
and to export the unencrypted private key:
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem