Root CA for NHS PKI service
from the Health and Social Care Information Centre
Grant of Approval
tScheme Limited grants approval to the electronic trust service identified as:
Root Certificate Authority for the NHS PKI - The NHS PKI is a trust infrastructure which provides certification services throughout the National Health Service. The NHS PKI Root acts as the core of the NHS certification trust infrastructure.
as supplied by:
Health and Social Care Information Centre
of 1 Trevelyan Square, Boar Lane, Leeds LS1 6AE.
The management system used to deliver this service is certified by:
LRQA Lloyd's Register Quality Assurance Ltd.
of Trinity Park, 1 Bickenhill Lane, Birmingham B37 7ES
to satisfy the criteria defined in the following tScheme Approval Profiles:
Title | Identity | Issue |
Base Approval Profile | tSd0111 | 3.00 |
Approval Profile for Certificate Generation* | tSd0104 | 3.01 |
Approval Profile for Certificate Dissemination | tSd0105 | 3.01 |
Approval Profile for Certificate Status Management | tSd0106 | 3.01 |
*not including Qualified Certificates
This approval initially commenced on:
29th November, 2007
**However, because elements of service are outsourced to the tScheme-Approved service from BT then the audit cycle is synchronised to that service - i.e. May.**
and annual renewal against the current issue of these Approval Profiles was confirmed in:
June 2023
Documents supporting this grant are available by clicking on the links in the table above.
This Grant of approval is issued by:
tScheme Limited
Mulberry Grove
PO Box 3653
WOKINGHAM
RG40 9NN
United Kingdom
Company Number 4000985
Approved Service Description
The Approved service relates to the Health and Social Care Information Centre (NHS HSCIC) Root Certificate Authority for the NHS Public Key Infrastructure. The NHS PKI is controlled by HSCIC, which operates a Policy Management Authority (PMA) to define and control the service. British Telecommunications plc (NHS Service Provider) act as the operational enterprise for the NHS Root Certificate Authority, and conduct all the functional activity relating to the NHS Root Certificate Authority
The NHS Root Certificate Authority (level 0) is designed for the issuance of Digital Certificates only to level 1 Certificate Authorities operating under the NHS Root CA. HSCIC has full control over all Level 1 CAs. HSCIC, via the NHS Policy Management Authority, defines and has complete control over all important business aspects such as the Certificate Policy and registration practices etc. while BT runs the Root Certificate Authority at its secure Data Centre.
The NHS Root Certificate Authority (CA) is separate1 from every other Certification service operated and managed by BT and is run in accordance with the NHS Policy Management Authority requirements and specifications for Root CA services. The certificates produced are manufactured to the profiles specified by HSCIC and are identified as NHS certificates.
Key features of the NHS Root Certificate Authority are:
- Complete managed service;
- Operating to defined Certificate Policy and Certificate Profile;
- Dedicated Certification Authority;
- Certificates identified as NHS operated and controlled;
- Standards compliant (for example Certificates are X.509 v3 compliant);
- Secure infrastructure designed to ISO 27001 and certified by independent audit;
- Supporting technologies have undergone external evaluations against established criteria (ITSEC, Common Criteria, and FIPS etc.);
- Support of a variety of cryptographic key management methods including smart cards, tokens etc is used, and;
- Physically remote secure business continuity and contingency facilities.
The NHS Root Certificate Authority is designed to satisfy the requirements of a Central Government organisation (DoH).
1 This separation is both logical and physical.