Certificate requirements

Compatible Certificate Authorities

In the production and ITE environments, RealMe® will only trust certificates used for the purpose of signing and encryption by the following list of Certificate Authorities:

Certificate Naming Conventions

The RealMe requirement is that integrating organisations should follow the stated naming conventions. If there is a significant difficulty with satisfying the requirements, then this can be discussed with the RealMe integration team.

Standard subject naming

 The subject (common name) for all certificates should be a concatenation of these four elements:

{environment}.sa.{purpose}.{[system] client domain}


  • environment values are ITE or Prod
  • sa is a fixed value identifying a client's certificate (service agency)
  • purpose is the way the certificate will be used - saml.sig for Post binding
  • client domain is a globally unique identifier for the environment using a domain style format

Certificate subject must only contain: the lower case letters 'a' through 'z', upper case letters 'A' through 'Z', the digits '0' through '9', eleven special characters ' = ( ) + , - . / : ? and space.

For example:


The client domain should generally include the agency's primary domain name so that this can be linked to the agency, but this is not tested with a DNS lookup.

Multiple integrations in the same RealMe environment can share the same certificate and the subject naming appropriately reflects this.

Valid examples for the agency nn.govt.nz for an online service called secure-app (or secure-app-a and secure-app-b) include:

  • ite.sa.saml.sig.secure-app.nn.govt.nz
  • prod.sa.saml.sig.secure-app.nn.govt.nz
  • ite.sa.saml.sig.nn.govt.nz
  • ite.sa.saml.sig.secure-app-a.nn.govt.nz
  • ite.sa.saml.sig.secure-app-b.nn.govt.nz
  • ite.sa.saml.sig.secure-app.dev.nn.govt.nz
  • ite.sa.saml.sig.secure-app.test.nn.govt.nz