SIMS Domain TLS Certificate Renewal - bcgov/SIMS GitHub Wiki

SIMS TLS Certificate Renewal Process

Below are the instructions for renewal of the SIMS TLS certificate, which expires annually and must be rotated. The TLS certificate can be renewed within one month from expiry, at which point the process should be initiated due to processing times.

Request a certificate renewal from the ministry service desk. Your supervisor will need to approve the request through the service request system.
After processing the request, you will be required to submit a Certificate Signing Request (CSR) to OCIO0. You can generate one on the command line using OpenSSL, with the following parameters:

Country: CA; State: British Columbia; Locality: Victoria; Organization: Government of the Province of British Columbia; Common Name: *sims.studentaidbc.ca Encryption: RSA:2048

Store the private key securely and submit the CSR.
OCIO will be provide a certificate and TLS chain (and potentially other intermediary certificates - TLSRoot, TrustedRoot). You should only need the TLS chain and certificate file.
Test the certificate by installing on a single DEV route in OpenShift. You can paste the values directly into the YAML and save. Certificate = sims.studentaidbc.ca.txt Private Key = [private key that you generated for CSR] CA_Certificate = TLSChain.txt
If successful, the route will display "Accepted"

Once you are satisfied with testing, you can now update the GitHub secrets. Note - you will need to format the certificates/key to have no line breaks.

Run the Deploy-All workflow to DEV. Deployment to other environments will occur through regular stages in upcoming releases.
Run the Deploy form server workflow to DEV. Deployment to other environments will occur through regular stages in upcoming releases.
Verify that the certificate has been updated by checking the certificate in the browser and with SSL checker linked below.

https://www.sslshopper.com/ssl-checker.html

Store Certificates in the secure folder.