NDR-235 Certificate generation script

megan-bower4 · megan-bower4 · commit 966b0bca7533 · 2025-09-18T09:30:31.000+01:00
diff --git a/.tool-versions b/.tool-versions
@@ -0,0 +1,2 @@
+terraform 1.5.7
+awscli 2.13.22
diff --git a/scripts/confs/dev.conf b/scripts/confs/dev.conf
@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = GB
+ST = West Yorkshire
+L = Leeds
+O = NHS England
+OU = National Document Repository
+CN = client.dev.ndr.national.nhs.uk
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
diff --git a/scripts/confs/preprod.conf b/scripts/confs/preprod.conf
@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = GB
+ST = West Yorkshire
+L = Leeds
+O = NHS England
+OU = National Document Repository
+CN = client.dev.preprod.national.nhs.uk
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
diff --git a/scripts/confs/prod.conf b/scripts/confs/prod.conf
@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = GB
+ST = West Yorkshire
+L = Leeds
+O = NHS England
+OU = National Document Repository
+CN = client.prod.ndr.national.nhs.uk
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
diff --git a/scripts/confs/test.conf b/scripts/confs/test.conf
@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = GB
+ST = West Yorkshire
+L = Leeds
+O = NHS England
+OU = National Document Repository
+CN = client.test.ndr.national.nhs.uk
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
diff --git a/scripts/create_csrs.sh b/scripts/create_csrs.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# This is for generating certs for the NHS Digital API Management Platform. They are used during mTLS authentication.
+# Taken from https://github.com/NHSDigital/api-management-cert-generation/blob/master/README.md
+# This script is likely needed if certificates need to be regenerated due to expiry or if new environments are added etc.
+# Run create_csrs.sh to generate keys into keys/ and CSRs into csrs/ to send to a trusted CA.
+# Usage:
+# ./create_csrs.sh
+
+set -euo pipefail
+
+mkdir -p csrs
+mkdir -p keys
+
+openssl req -new -newkey rsa:4096 -nodes -sha256 -keyout keys/dev.api.service.nhs.uk.key -out csrs/dev.api.service.nhs.uk.csr -config confs/dev.conf -extensions v3_req
+openssl req -new -newkey rsa:4096 -nodes -sha256 -keyout keys/test.api.service.nhs.uk.key -out csrs/test.api.service.nhs.uk.csr -config confs/test.conf -extensions v3_req
+openssl req -new -newkey rsa:4096 -nodes -sha256 -keyout keys/preprod.api.service.nhs.uk.key -out csrs/preprod.api.service.nhs.uk.csr -config confs/preprod.conf -extensions v3_req
+openssl req -new -newkey rsa:4096 -nodes -sha256 -keyout keys/api.service.nhs.uk.key -out csrs/api.service.nhs.uk.csr -config confs/prod.conf -extensions v3_req
