Skip to main content

Rotating the RadSec Certificate

This runbook outlines the steps required to generate and rotate the RadSec private key and certificate combination server.pem

Context

The Radsec server.pem is found in the /radsec folder in the mojo-{environment}-nac-certificate-bucket in the environment account (i.e. Dev, pre-prod, prod). The Radsec certificate is used in RADIUS over TLS to establish secure, encrypted communication between RADIUS clients and servers. The pem file contains 2 parts, the certificate, and the encrypted private key. The private key is encrypted using the password found in AWS secrets manager (/moj-network-access-control/{environment}/radsec/private_key_password), this will also need rotating as part of the certificate renewal.

The current Radsec server.pem expires 04/02/2028 (see NACS portal for expiry date).

Note the renewal will require a CR so the renewal needs to be done in good time.

As of 03/03/2028, the current version of Ruby on the NACS admin portal which runs the server.pem validation uses openssl-3.5.5. It is recommended to use a similar version to generate and encrypt the keys as to ensure the format is suitable as otherwise it may be rejected.

Prerequisites

  • Openssl-3.5.5 installed locally
  • Coordination with LAN team for testing and cert generation

Steps

1. Generating new server.pem:

  1. Generate new private key: openssl genrsa -out radsec-pk.key

  2. Copy the conf file below to your working directory:
    radsec.cnf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C=“GB”
O=“Ministry of Justice”
OU=“Digital & Technology”
CN=“radsec.network-access-control.service.justice.gov.uk”
emailAddress=certificates-gg@justice.gov.uk
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = radsec.network-access-control.service.justice.gov.uk
DNS.2 = radsec.dev.network-access-control.service.justice.gov.uk
DNS.3 = radsec.prep.network-access-control.service.justice.gov.uk

  1. Generate csr using new private key:
    openssl req -new -key radsec-pk.key -out radsec.csr -config radsec.cnf

  2. Send csr to IDAM or LAN team who have access to MOJ PKI portal and can create the new certificate using the “moj_radius” template. IDAM will send the new certificate back.

  3. Encrypt the private key from step 1, using a new password (save this password, you will need it later). Note you will be prompted for the password once the command is run:
    openssl rsa -in radsec-pk.pem -aes256 -out encrypted_radsec-pk.pem

  4. Combine the certificate and the private key files into the server.pem file. E.g.
    —–BEGIN CERTIFICATE—–
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    —–END CERTIFICATE—–
    —–BEGIN ENCRYPTED PRIVATE KEY—–
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    —–END ENCRYPTED PRIVATE KEY—–

At this stage you have the server.pem with the new certificate. You will need to align with the LAN Engineers a timeframe to test in Dev. When you are ready to test in Dev you can proceed to the next steps. For Production deployments the steps are the same - but in the Production AWS account.

2. Rotating the server.pem:

  1. Change the value of the private key password in AWS secrets manager (/moj-network-access-control/{environment}/radsec/private_key_password), to the password used to encrypt the private key.
  2. Rename the current radsec/server.pem in the S3 bucket to indicate it is an old version.
  3. Upload the new server.pem file.
  4. Redeploy the NACS admin service. This is required as the RadSec password environmental variable is retrieved only on start-up. If the old password is still being used by the service then the server.pem will be rejected with an invalid private key error. The service can be redeployed by going to ECS > Clusters > mogo-production-nac-cluster > Services > admin and selecting the drop down icon to the right of ‘Update service’. Under this dropdown select ‘Force new deployment’. Once the service has been redeployed it will pick up the new password from secrets manager and the NACS admin portal step can be carried out.
  5. Delete the NACS-Server-Certificate-RADSEC certificate in the NACS admin portal – note down the name and description before you delete.
  6. Upload the new server.pem to the NACS admin portal with the name and description you noted. This should trigger the Internal and Public ECS tasks to redeploy, picking up the new certificate. If it does not, you will need to trigger a redeployment manually.
  7. LAN Engineers to test that users can authenticate via Radsec.

3. Test the Certificate

To verify the certificate has been rotated successfully, first check in the NACS admin portal ‘Server Certificates’ section that the RadSec cert is present and no longer expiring soon. Then check the ECS mojo-production-nac-cluster internal and public services. They should automatically start a new deployment when there is a certificate change in the admin portal. This redeployment should be monitored and confirmed to be successfully running without health issues. The LAN engineer can then test the access/ authentication on wifi and wired connections either in 102PF or within a home lab setup.

This page was last reviewed on 3 March 2026. It needs to be reviewed again on 3 September 2026 by the page owner #nvvs-devops .