OS is updating Secure Sockets Layer (SSL) certificates to improve security as our current SSL provider will not be supported by Google Chrome 70 and Mozilla Firefox 63 from mid-October. 

 

Most customers will not experience any impact when certificates are changed; SSL/TLS capable clients and server systems released after 2013 will have the relevant root certificates pre-installed.

 

Older and customised systems may require an update of their software to a version supporting/containing the new root certificates or need to have the certificate installed separately.

 

Browsers can be tested using a dedicated testing page provided by DigiCert at https://global-root-g2.chain-demos.digicert.com/.


What action do I need to take?

For those customers with working knowledge of SSL/TLs implementations the new root certificate will be the DigiCert Global Root G2 root certificate. If not already in place, it is recommended this is installed ahead of the changeover date, leaving the existing root certificate in place until after October 16th to ensure a smooth transition.

 

For further information please visit the DigiCert website for a list of compatible software and solutions.  View a more detailed list showing which solutions support our new certificates chained from the "DigiCert Global Root G2".

 

Test URLs

 

URL using current certificate

Test URL with new certificate

api.ordnancesurvey.co.uk

api2.ordnancesurvey.co.uk

osondemand.ordnancesurvey.co.uk

osondemand2.ordnancesurvey.co.uk

ondemandapi.ordnancesurvey.co.uk

tiles2.ordnancesurvey.co.uk

osopenspacepro.ordnancesurvey.co.uk

tiles2.ordnancesurvey.co.uk

openspace.ordnancesurvey.co.uk

openspace2.ordnancesurvey.co.uk 

tiles.ordnancesurvey.co.uk

tiles2.ordnancesurvey.co.uk

opendata.ordnancesurvey.co.uk

tiles2.ordnancesurvey.co.uk

Test URLs will be removed from 16 October 2018

 

Testing

Replace the current URL with the test URL for the service you are using. Test the systems using your existing key and queries. 

 

Once confirmed that the new certificates will not pose any problems we advise you revert back to the current URL and continue using the services as before with the change automatically coming into effect on September 24th.

 

No further action will be required from you in this instance.


My test has failed, what should I do?

Should your testing show that the certificates pose a problem for your system we would advise you initially update your software to the latest version. 

 

I can't upgrade my software, what should I do?

If you can't upgrade your software or you have problems with new certificates despite updating, you will most likely need to install the relevant DigiCert ROOT certificate.

 

The root certificate can be obtained from DigiCert at https://www.digicert.com/digicert-root-certificates.htm - listed under "DigiCert Global Root G2".

 

Most software capable of communicating via SSL/TLS will allow for the installation of root and intermediate certificates.

 

When should I remove the old Root Certificate?

Do not remove the old root certificate until after 16 October.

 

Our current certificates cannot be verified against the new root certificate and you would not be able to use our services until the switch has been made on 24 September, pending any issues or delays on our side on the day of the switch. We will remove the test URLs (except for api2.ordnancesurvey.co.uk) a short while after the switch of our certificates has been completed successfully.

 

Can I add  temporary exceptions?

No. We strongly recommend customers do not add temporary exceptions or attempt to install our SERVER certificates into their systems.

 

What are server certficates?

Server certificates are the ones supplied by us when making a connection via SSL/TLS to our services. These certificates carry a relatively short expiry date of two years after being issued to us. We may also change the certificates for security or system related reasons at any time without warning.

 

These changes are routine throughout the web and carry no impact to customers as the root certificate within the customer systems will be able to verify our server certificates when re-issued.

 

Why are OS making this change?

From 24 September 2018 OS will be changing all SSL certificates to a new provider DigiCert. This change is necessary as historical certificates provided by Symantec will be distrusted by Google Chrome, Mozilla Firefox and other software vendors from 16 October, resulting in possible problems for older client and server systems accessing  APIs and services.

 

Who is the new SSL certificate provider - DigiCert?

Our new provider DigiCert is a global player in the SSL certificate market and recently bought Symantec.