Certificate purchasing

SAML POST binding requirements

Compatible Certificate Authorities

In the production and ITE environments, RealMe will trust certificates that organisations purchase from their preferred Certificate Authority provider. Certificates do not need to be the more costly Extended Validation (EV) type. Self-signed or Wildcard certificates and short duration (e.g. 90 days) certificates with automatic renewal are not acceptable.

Certificate duration

The default duration requirement for certificates is now 1 year. RealMe Operations will liaise with the agency about certificate expiry.

Certificate reuse

  • Separate certificates are required for the RealMe Production and ITE environments, but a certificate can be used for multiple agency environments connected to ITE (e.g. dev, systest, uat, etc.).
  • Within a RealMe environment, a certificate may be reused across more than one online service to validate the same agency – or more specifically the same privacy domain.

Certificate common name and bit length

The CSR for the SP certificate must comply with the common name requirements and have a minimum bit length of 2048.

The RealMe requirement is that integrating organisations should follow the stated naming conventions. If there is a significant difficulty with satisfying the requirements, then this can be discussed with the RealMe integration team. The naming rules have changed to provide greater flexibility for integrating organisations.

  • The certificate name for RealMe use should only contain permitted characters: 
    • Lowercase letters a–z
    • Uppercase letters A–Z
    • Digits 0–9
    • Special characters: dot (.) and hyphen (‐)  
  • The certificate name must be globally unique across RealMe services.

The certificate name for the SAML POST binding SP signing and encryption certificate should conform to the following pattern:

{RealMe environment}.{service}.{organisation domain}

where:

  • environment values for production can be “prod” (preferred), or “production”
  • environment values for non-production can be the RealMe environment name “ite” (preferred) 
  • service can be appended to organisation domain in a url format
  • organisation domain is a globally unique identifier using a domain style format such as agency.govt.nz. 

A valid example is:

ite.customer-benefit-apply.ministry.govt.nz

The organisation domain should be the organisation's primary domain name so that RealMe Operations can easily link the certificate with the responsible agency, but also to support the Certificate Authority verification process. Note that the value is not tested with a DNS lookup by RealMe.

If a certificate will be shared across multiple online services in the same privacy domain, then the certificate name should appropriately reflect this.

SAML Artifact binding

For the Artifact binding mutual SSL certificate, RealMe can only process certificates from three Certificate Authorities: Digicert (RapidSSL), Thawte and Verisign.

The certificate name for SAML Artifact binding back-channel can follow the legacy certificate name pattern if already integrated:

{RealMe environment}.mutual-ssl.{service}.{organisation domain}