Generate self-signed certificates

To communicate with GOV.UK Verify you need to use keys and certificates. If you’re communicating with the GOV.UK Verify hub, your certificates must be issued by the IDAP certificate authority. If you’re communicating with the compliance tool, generate self-signed certificates as described here.

Generate self-signed certificates with OpenSSL

You can generate keys and self-signed certificates in whatever way is most convenient and familiar for you. There are many different formats of keys and certificates. The Matching Service Adapter (MSA) uses PKCS#8 formatted keys (.pk8) and PEM encoded X509 certificates (.crt).

The GOV.UK Verify team generally use the OpenSSL tool to do this using the guidance from the Heroku Dev Center.

Install OpenSSL if it isn’t already installed:

Run the following commands in order, replacing:

# Generate a private key:
openssl genrsa -des3 -passout pass:x -out "$name.pass.key" 2048
openssl rsa -passin pass:x -in "$name.pass.key" -out "$name.key"

# Generate a certificate signing request (CSR):
openssl req -batch -new -subj "/CN=$commonName" -key "$name.key" -out "$name.csr"

# Generate a self signed certificate:
openssl x509 -req -sha256 -in "$name.csr" -signkey "$name.key" -out "$name.crt"

# Convert the private key to .pk8 format:
openssl pkcs8 -topk8 -inform PEM -outform DER -in "$name.key" -out "$name.pk8" -nocrypt

# Clean up the files you don’t need anymore:
rm "$name.pass.key"
rm "$name.csr"
rm "$name.key"

Keys and certificates for your MSA

With the default configuration in test-config.yml the MSA needs the following keys and certificates:

  • test_primary_signing{.pk8,.crt} - primary signing private key and certificate
  • test_secondary_signing{.pk8,.crt} - secondary signing private key and certificate
  • test_msa_encryption_1{.pk8,.crt} - primary encryption private key and certificate
  • test_msa_encryption_2{.pk8,.crt} - secondary encryption private key and certificate


The MSA needs primary and secondary keys to support key rotations without causing service downtime for users.

Keys and certificates for your service

Your service must sign SAML messages and decrypt assertions, so at a minimum you need a private key and certificate for each of these roles. Your service should support multiple encryption keys to allow for key rotations.

Depending on how your service is built you may need to provide keys and certificates in a different format, for example .jks or .pem.