Certificate purchasing
SAML POST binding requirements
Compatible Certificate Authorities
In the production and ITE environments, RealMe will trust certificates that organisations purchase from their preferred Certificate Authority provider. Certificates do not need to be the more costly Extended Validation (EV) type. Self-signed or Wildcard certificates and short duration (e.g. 90 days) certificates with automatic renewal are not acceptable.
Certificate duration
The default duration requirement for certificates is now 1 year. RealMe Operations will liaise with the agency about certificate expiry.
Certificate reuse
- Separate certificates are required for the RealMe Production and ITE environments, but a certificate can be used for multiple agency environments connected to ITE (e.g. dev, systest, uat, etc.).
- Within a RealMe environment, a certificate may be reused across more than one online service to validate the same agency – or more specifically the same privacy domain.
Certificate specifications
The CSR for the SP certificate must comply with the common name requirements and have a minimum bit length of 2048. The signing algorithm should be one of SHA-256, SHA-384 or SHA-512.
The RealMe requirement is that integrating organisations should follow the stated naming conventions.
- The certificate name for RealMe use should only contain permitted characters:
- Lowercase letters a–z
- Uppercase letters A–Z
- Digits 0–9
- Special characters: dot (.) and hyphen (‐)
- The certificate name must be globally unique across RealMe services.
The certificate name for the SAML POST binding SP signing and encryption certificate should conform to the following pattern:
{RealMe environment}.{service}.{organisation domain}
where:
- environment values for production can be “prod” (preferred), or “production”
- environment values for non-production can be the RealMe environment name “ite” (preferred)
- service can be appended to organisation domain in a url format
- organisation domain is a globally unique identifier using a domain style format such as agency.govt.nz.
A valid example is:
ite.customer-benefit-apply.ministry.govt.nz
The organisation domain should be the organisation's primary domain name so that RealMe Operations can easily link the certificate with the responsible agency, but also to support the Certificate Authority verification process. Note that the value is not tested with a DNS lookup by RealMe.
If a certificate will be shared across multiple online services in the same privacy domain, then the certificate name should appropriately reflect this.
SAML Artifact binding
For the Artifact binding mutual SSL certificate, RealMe can only process certificates from three Certificate Authorities: Digicert (RapidSSL), Thawte and Verisign.
The certificate name for SAML Artifact binding back-channel can follow the legacy certificate name pattern if already integrated:
{RealMe environment}.mutual-ssl.{service}.{organisation domain}
Note that only SHA-256 certificates are accepted for artifact binding integrations.