Skip to main content

Connect to a Path to Live environment

NHS Digital provides a number of Path to Live testing and training environments. These are available for suppliers to use when integration testing products against the national systems such as Spine and NHS e-Referral System (e-RS). This page describes the process you should follow to successfully connect to these environments.

How to connect to Opentest

Opentest is a standalone environment, separate from the other Path to Live environments.

Requests for access and a connection pack should be made to

How to connect to e-RS Train2

The e-RS Train2 environment is a standalone, internet-facing environment that allows organisations to perform most e-RS referral and provider functions for training purposes. It is a closed environment which does not have any connections to Spine. Spine functionality is simulated in the environment. 

Requests for access should be made to

How to connect to other Path to Live environments

There are several steps you need to follow to connect to the Path to Live environments:

Development - for early phase testing

Integration - for integration testing

Deployment - for user acceptance testing

Training - for training users in Spine and e-RS applications and processes

The following diagram describes the steps you will need to take to connect if you have not already got a connection.

Flow diagram explaining the steps involved with connecting to an environment (the steps are described as text beneath the image)

Each step is explained below in full:

Health and Social Care Network (HSCN) connection

To connect to any of the Path to Live environments, except Opentest, you will need to have an HSCN connection (this replaced N3). Contact a Consumer Network Service Provider (CN-SP) if you do not already have one - further information can be found on the HSCN pages. NHS Digital are unable to advise which CN-SP would be the most suitable for your needs.

If you already have a connection you must check that the Virtual Internet Protocol (VIP) addresses and Uniform Resource Locators (URLs) used to connect to a test environment are correctly configured on your firewall. These settings are provided on the relevant environment pages.

It is the responsibility of the CN-SP to maintain your connectivity to a service. You should contact your CN-SP in the first instance if you have any problems with your connection. 

Test data requirements

You will need to request organisation data, user data and smartcards as well as PDS patient data if your testing requires this.

Please contact the test data team to discuss your requirements.


Endpoint request

Register your Message Handler Server (MHS)

You will need to register your MHS with the Spine (referred to as endpoint registration or EPR). Spine endpoints need to be created to send messages between your MHS and Spine.

To register your MHS with the Spine, complete the combined Endpoint and Service Registration form (opens in a new window).

This form is used to request the necessary certificates, Party Key and/or Accredited System ID (ASID) creation. It also includes options to create or renew certificates used for messaging and/or to request changes to an existing registration.

Certificate only

You will need to provide your Fully Qualified Domain Name (FQDN). The FQDN should conform to the DNS Naming Schema for Spine endpoint sites. You will also need to provide a certificate signing request (CSR) where the Common Name (CN) is the FQDN.

Service registration

You will need to provide information relating to your MHS. The information needed will depend on whether your request is for a new registration or an amendment to an existing registration. It may include:

  • test ODS code provided following your request for test data
  • ODS organisation name
  • MHS name
  • details of your messaging product
  • source IP address
  • URL binding(s)
  • existing Party Key / ASID details (if you are amending an existing registration)

You will receive registration details and/or an End Point Certificate.

If you need assistance or will be creating endpoints on a regular basis, email

Having a valid product

You may need to register your messaging product. The Spine Endpoint Registration System maintains a database of supplier’s products and product versions together with the set of message interactions they have been accredited to send or receive. This simplifies the endpoint registration process because once a product has been registered any endpoints registered as using the product automatically inherit the registered set of message interactions associated with the product.

The MPV form is used to register the initial product details and is termed the Manufacturer Product Version (MPV) registration. The form can only be used for setting up new product versions. It is not possible to make changes to the message set definition for existing products.

You will need to provide the message sets that are used by your product and confirm that the product meets the entry criteria for the required environment. These criteria are outlined in the entry criteria below.

DNS registration

You will need to register your DNS name with the DNS team (opens in a new window) and provide your inbound IP address and associated FQDN.

The FQDN must conform to the DNS Naming Schema for Spine endpoint sites.

Download Identity Agent (IA) Client

Download and install the Identity Agent Client software on to the PCs that will be used in testing.

Change your registry settings to point to the specific environment you are connecting to. Registry setting files can be obtained from the relevant Environment pages.

Entry criteria to the Path to Live environments


Only test data is required to use the development environments:


There are a number of requirements before a product can be accepted into the integration environments:

  • 95% or more (or other apporved percentage) pass from Systems Test
  • no outstanding severity 1 or severity 2 defects 
  • system test report available (approval may also be a requirement) 
  • release documentation available
  • TKW visual validator message completed and validation report submitted
  • design and System Test ATP awarded - established system of choice (ESP) and GP system of choice (GPSoC) only
  • a test readiness review has taken place (LSP only) 


In the deployment environments:

  • test data is required
  • the messaging production must have successfully passed the integration phase of testing
  • the product may also be in the production environment


In the training environments:

  • test data is required
  • the messaging production must have successfully passed the integration phase of testing
  • the product may also be in the production environment


In the opentest environment:

  • only test data is required
  • there are no Care Identity Service (CIS) NHS e-Referral Service (e-RS) instances 

Non-functional test

In the non-functional test environment:

  • only test data is required
  • there are no Care Identity service (CIS) NHS e-Referral Service (e-RS) instances

MESH Exchange for Social Care and Health (MESH)

Guidance on what information is required to create a MESH mailbox is available here 

There are a number of methods of connecting to  MESH that are available to users in the PTL environments. Each method has slightly different connection requirements and these are listed below

MESH client  over HSCN

  1. Mailbox created at a testing organisation you have been assigned.
  2. Download the predefined MESH client keystore and password from the appropriate environment page on this website. This keystore contains all the required certificates for MESH in the PTL environments.  The keystore passwords are provided below
  3. Messaging URL is msg.[env]

Note: In Live, users will need to create the keystore and password

MESH Client over the internet

As above except they would point to the msg.[env] URL

Note . Using the MESH client over the internet requires a SHA2 keystore. Only the the integration environment still supports SHA1 keystores, all other PTL environments use SHA2 already.


  1. Mailbox created at a testing organisation you have been assigned.
  2. Smartcard or 2FA. If accessing the UI from HSCN, a  NHS smartcard must be used. The role on the card is not important, you just must have card. If accessing UI over the internet you need to user 2FA. 
  3. They will also need to be setup in Moles for access to the their mailbox

MESH API over the internet

  1. Mailbox created at a testing organisation you have been assigned.
  2. Endpoint cert from the appropriate PTL environment
  3. Shared key. This is set as 'BackBone' for all PTL environment
  4. Point to msg.[env] URL. 
  5. You will need to download and install the Spine root and SubCA certificates from the appropriate environment webpages


As above but point to msg.[env] URL

Keystore Passwords

Spine2Int - Integration

Spine2Dev - Development

Spine2Dep - Deployment

Spine2Train - Train


MESH Guidance hub has the current installation and user guides

MESH API guidance is available here

Please note the installation guides ask you use the certificate enrolment tool to create a certificate and keystore. This is not required in PTL. Please use the predefined keystores that are available for the environments pages on this website.

Testing Organisations

For users of MESH a mailbox will be required. For testing purposes these should be at testing organisations you own. If you do not have any testing organisations, please contact out test data team ( to organise one.

Last edited: 4 February 2021 2:53 pm