Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Updating NHS Public Key Infrastructure certificates

All health and social care organisations connecting to the NHS Spine must have a valid NHS Public Key Infrastructure (PKI) certificate in place to ensure encrypted patient data is transmitted securely. First-generation (G1) certificates are expiring in 2024. We recommend updating them to second generation (G2) certificates by 31 December 2023 to avoid any loss of service. Information about how to do this is available below.

Page contents

What is a Public Key Infrastructure and why it is important

A Public Key Infrastructure (PKI) is an essential part of the UK’s digital infrastructure. It enables secure communication over the internet using public key cryptography. This involves the use of a pair of keys: a public key and a private key.  

We use a Public Key Infrastructure in the NHS. It provides digital certificates to people and systems needing to authenticate to the NHS Spine. Without a valid certificate, access to the Spine is denied.

Updating certificates and who can do this

Current NHS Public Key Infrastructure first-generation (G1) certificates are due to expire on 4 June 2024. This affects all care settings that use the Spine including primary care, secondary care, urgent and emergency care, and social care.

If you are a supplier of healthcare technology, you are expected to install second-generation (G2) certificates on behalf of your customers that use the Spine to deliver NHS services.

If you are an NHS trust and you operate your own Spine-connected IT systems, such as clients for Message Exchange for Social Care and Health (MESH) and the Demographics Batch Service (DBS) you are expected to update your certificates locally. You may wish to make your IT department aware so that they can begin to prepare for these important changes.

If you are an urgent and emergency care IT system supplier and you support provider organisations with peer-to-peer messaging, we expect you to update certificate trust stores and install valid digital certificates. You may wish to make your IT department aware so that they can begin to prepare for these important changes.

We recommend certificates are updated as soon as possible and before 31 December 2023. After 4 June 2024, any organisation with an invalid certificate will no longer be seen as a trusted entity. Their access to the Spine and its associated services will not be permitted. This could impact the delivery of healthcare services.

What healthcare technology suppliers can do now

As soon as possible and before 31 December 2023, we recommend you:
  • Install a new G2 issuer certificate to your trust stores alongside any instances of the existing NHS Level 1C and NHS Root Authority.
  • Renew your NHS system certificate using the standard process.
  • Reconfigure your web server component to accept certificates from the G2 PKI in addition to the existing NHS PKI if applicable.
  • Rebuild any trust store or key store for MESH and DBS clients so that it contains both current G1 and G2 issuer certificates, and your new G2 MESH/DBS certificate.
  • Test the updates using the NHS Digital Path to live integration environment.

What health and social care organisations can do now

This applies to NHS trusts, urgent and emergency care providers and other health and social care settings.

As soon as possible and before 31 December 2023, we recommend you:
  • Install a new G2 issuer certificate to your trust stores of existing message handlers alongside any instances of the existing NHS Level 1C and NHS Root Authority. This may require certificates to be installed in multiple locations depending on each organisation’s local set-up.
  • Renew your NHS system certificate using the standard process.
  • Reconfigure your web server component to accept certificates from the G2 PKI in addition to the existing NHS PKI if applicable.
  • Rebuild any trust store or key store for MESH and DBS clients so that it contains both current G1 and G2 issuer certificates, and your new G2 MESH/DBS certificate.
  • Ensure a valid digital G2 certificate is in place which has been issued by a trusted certificate authority (CA) that meets NHS standards.
  • Test the updates using the NHS Digital Path to live integration environment.

Testing 

The NHS Digital Path to live integration environment is available now for suppliers of healthcare technology, NHS trusts, and urgent and emergency care providers if they wish to test the updates before they implement these changes.

Contact us

For further support or if you have any queries, please contact [email protected].

Last edited: 16 May 2023 5:04 pm