Q1. Do we need the latest HMRC SSL Certificate to be installed on our server?
No.
Q2. Do we need a certificate related to the HMRC SSL Certificate to be installed on our server in order for Coins ERP+ to make a connection to HMRC?
Yes – but if you have been operating CIS or VAT returns successfully already then you are highly likely to have at least one of the root certificates that supports that certificate installed. These are currently Amazon Root CA 1, Starfield Services Root Certificate Authority - G2 and Starfield Technologies, Inc. / Starfield Class 2 Certification Authority. (If you have any one of these, it will serve to validate connection using HMRC’s own certificate).
Q3. Won’t those Root Certificates expire soon?
HMRC generally has chosen to get its own site certificates issued under a CA (Certification Authority) which will last at least 10 years (current one as at 2023 lasts another 15 years). HMRC has changed the CA for its own certificates in the recent past, which some industry analysts consider is due to its change of cloud platform and changing CA as part of that change, but each time the change has only been to a CA whose validating root certificate will have been found in the certificate trust stores of versions of the software utilising the store going back many years (in the case of the current one as at 2023 it has a start date 8 years in the past).
Q4. What will happen if we don’t have one of the Root CA certificates that supports the HMRC certificate installed on our server in the relevant certificate store?
If you don’t have it installed then usually your connection, and therefore CIS or VAT Return submission, will fail. It may not fail if you have installed as trusted certificates the certificates higher up the certificate path which are not self-signed root certificates (for instance the new certificate that HMRC itself has) but that isn’t a standard or recommended practice.
Q5. How can we tell if we already have one of the required root CA certificates installed in the necessary place?
If your submissions are operating without issue, then it is reasonable to assume you have it.
The standard cause for the lack of the ROOT CA certificate would be operating with a very old version of the software (and therefore a very old version of the installed certificate store that that software uses). So the standard solution would be operating with the COINS recommended OpenEdge version which itself would normally specify a sufficiently up to date version of Java. If the issue is with VAT then upgrading what is probably an old installation of the Curl software is likely to be the solution.
However if you wish to perform a detailed check that you have the required root CA Certificate then the procedure would probably be along the following lines:
Identify at least one of the required root CA Certificates. The best way to do this may be by using a site such as https://www.ssllabs.com. The advantage of such sites is that they give you information about all of the possible certification paths, and thus all of the self-signed (root) certificates at the bottom of each path at least one of which you need to install. You can enter the URL that is used by the submission service – for HMRC this has been for some years https://transaction-engine.tax.service.gov.uk. An alternative is to use a browser to go to the transaction-engine – but that will only show you the certificate validation chain down to the first self-signed certificate which the version of the browser you are using has in its own certificate store.
Go to the site of the provider of the certificates – in this case it would be Amazon. Identify the certificate from the information provided by ssllabs (for instance) and then download the certificate.
Then install the certificate in the relevant trusted certificate store (e.g. java or curl, depending on the service on which you are encountering the issue).
In the unlikely event that you are operating with more than one version of java, you can find the one ERP+ uses by going to the folder where Coins is installed and issuing the java ‑version command.
Q6. Isn’t there supposed to be just one root certificate in a certificate chain?
A connection can be made when a chain of trust can be made going from HMRC’s own site certificate through to a root certificate that you have in your certificate trust store. As certificate trust stores are issued for different software, in different versions, it can be the case that different clients will access HMRC using a different chain of trust; it will still end up validating/signing HMRC’s own certificate but the chain of certificates will be different and can terminate in a different root certificate.
The root certificate Amazon Root CA 1 Self-signed Fingerprint SHA256: 8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e has an expiry date of 2040, and so is the one with the latest expiry date of the three possible terminating self-signed roots in the validation chain for HMRC. The other roots mentioned have an expiry date of 2037.