Requesting SSL Certificates via Hashicorp Vault

Follow the confluence document to get connected to vault.

For this, you may require the root token instead of oidc, depending on what permission level you have.

You can find the token in one of the keyvaults.

Once you are connected to the vault using the instructions above, you can request the certificate.

vault write pki_mnl_int/issue/mnl-nl-cjscp-org-uk common_name="<full domain name>" ttl="1h"

For example:

vault write pki_mnl_int/issue/mnl-nl-cjscp-org-uk common_name="darts-gateway.mnl.nl.cjscp.org.uk" ttl="1h"

The cert will be generated and saved in the vault.

The output of the command will give you a fingerprint which you can use to verify the domain name using:

vault read -format=json pki_mnl_int/cert/<fingerprint> | jq -r '.data.certificate' | openssl x509 -noout -subject -ext subjectAltName

This will give you something like this:

subject=CN=darts-gateway.mnl.nl.cjscp.org.uk
X509v3 Subject Alternative Name: 
    DNS:darts-gateway.mnl.nl.cjscp.org.uk

Adding the certificate to the application gateway for Crime

An integration has been configured to copy the cert to Azure Keyvault to use with application gateway.

Add your certificate to the config using the correct format.

And specify the certificate in the listener settings.

This page was last reviewed on 8 July 2025. It needs to be reviewed again on 8 July 2026 by the page owner platops-build-notices .

This page was set to be reviewed before 8 July 2026 by the page owner platops-build-notices. This might mean the content is out of date.