NHS Public Key Infrastructure Root Certificate Authority information

This page includes details of the various PKI certificates that are used in our production environment.

For certificates for our path to live environments, see Path to live environments.

The NHS Root Certificate Authority (CA) has been certified by tScheme to show that it is governed, operated and managed to high quality standards.

The following information can be used to confirm certificate details:

NHS Root Authority G2

Serial Number: 02:96:29:01:0A:7A:10:CB:C9:D5:30:17:A7:B8:F4:9C

Subject: C=GB, O=NHS, OU=CA, CN=NHS Root Authority G2

Expires: 07 April 2042

SHA1 Thumbprint: 7E:05:FA:62:9B:5E:66:DB:B8:0E:97:41:7D:24:73:CB:CF:5A:31:06

Download: https://pki.nhs.uk/live/G2/root/NHSRootAuthorityG2.crt

NHS Authentication G2

Serial Number: 5F:C4:71:31:2B:0B:78:83:F4:0A:F5:7E:FD:0B:1F:07

Subject: C=GB, O=nhs, OU=CA, CN=NHS Authentication G2

Expires: 15 September 2032

SHA1 Thumbprint: 1F:30:1F:CA:68:4D:9E:13:AD:4D:BA:7C:8F:2B:A1:26:F9:C4:C0:15

Download: https://pki.nhs.uk/live/G2/auth/NHSauthG2.crt

NHS Signing G2

This certificate is required by all dispensing software that uses the Electronic Prescription Service HL7 V3 API in order to verify prescription signatures that have been signed 'locally' on the client device.

Serial Number: 26:E0:4E:42:71:05:6A:EE:AC:05:6C:9F:3A:59:2E:D3

Subject: C=GB, O=nhs, OU=CA, CN=NHS Signing G2

Expires: 15 September 2032

SHA1 Thumbprint: 49:91:7C:B5:ED:2B:50:1B:C2:78:25:2C:5C:0F:FC:CC:57:09:A4:24

Download: https://pki.nhs.uk/live/G2/sign/NHSsignG2.crt

NHS Remote Signing G2

This certificate is required as well as NHS Signing G2 by all dispensing software that uses the Electronic Prescription Service HL7 V3 API in order to verify prescription signatures that have been signed 'remotely' using the Digital Signature Service API.

Serial Number: 00:BB:55:02:5F:67:C7:CC:91:D1:71:DC:65:7B:BE:2B:E3

Subject: C=GB, O=nhs, OU=CA, CN=NHS Signing G2 Level 2

Expires: 7 September 2032

SHA1 Thumbprint: 1E:0D:24:56:46:40:59:AA:42:28:D9:F6:AD:96:65:FC:A2:44:A7:DC

Download: https://pki.nhs.uk/live/G2/sign/NHSSigningG2L2.crt

There are 2 Level 1 Sub CAs within NHS infrastructure. The Authentication CA (1C) is used for issuing certificates to subscribers for the purposes of authentication. 

The Content Commitment CA (1D) is used for issuing certificates for the purposes of Digital Signature.

The following information can be used to confirm certificate details:

• Serial Number: 4f 86 a5 45
• Subject Name: CN = NHS Level 1C, OU = CA, O = nhs
• Expires: 04 June 2024
• SHA1 Thumbprint: da 3c f9 d1 3a 70 57 04 f2 cb a2 74 c7 97 94 96 3c 36 ff 94

Download the NHS PKI Level 1C certificate in pkcs#7 format (.p7b)

Download the NHS PKI Level 1C certificate in der format (.der)

Download the NHS PKI Level 1C certificate in pem Base64 format (.cer)

The following information can be used to confirm certificate details:

• Serial Number: 4f 86 a5 46
• Subject Name: CN = NHS Level 1D, OU = CA, O = nhs
• Expires: 04 June 2024
• SHA1 Thumbprint: 17 af ef 48 fb 02 0b 42 d8 0f 4f 90 5e 41 ba ca a4 ca 51 c5

Download the NHS PKI Level 1D certificate in pkcs#7 format (.p7b)

Download the NHS PKI Level 1D certificate in der format (.der)

Download the NHS PKI Level 1D certificate in pem Base64 format (.cer)

Certificates for path to live environments are available as follows:

• Integration environment
• Deployment environment