TLS Certificate Management

A valid AEMO Australian Energy Market Operator-signed TLS certificate is required to connect Energy Rules Terms to AEMO’s network for communicating with MTLS-authenticated systems.

TLS certificates are used by most Market Participants to connect to AEMO market systems, in particular eHub APIs and GHUB FRC Full retail contestability. Participants cannot use these systems (and therefore cannot participate in the market) without a valid TLS certificate.

Goal

AEMO provides two ways for Market Participants to self-manage the issuing and the replacement of their AEMO-signed TLS certificates:

• TLS Certificate Management API Application Programming Interface; a set of clearly defined methods of communication between various software components. – Participants can automate and integrate the API into their systems to significantly reduce their overhead in managing AEMO supplied certificates and ensure certificate management fits within their own processes. For more information, see TLS Certificate Management API.
• TLS Certificate Management application – A user interface in the Markets Portal Web applications for registered participants only. Requires access to MarketNet. to self-manage TLS certificates.

Participants can use the API or application to fully manage their own certificates. This includes requesting, checking, renewing, revoking and updating certificates.​

High-level changes

Function	Description	Reference
APIs	Detailed specifications and context for API development	APIs
TLS Certificate Management web interface	Application in the Markets Portal to self-manage TLS Certificates	TBC

TLS Certificate Management access

To use the TLS Certificate Management API, you need the following:

• URM User Rights Management; see the Guide to URM on AEMO's website credentials (see your Participant Administrator Creates and maintains access to AEMO systems for their Participant ID users.)
• The appropriate user rights entity assigned to the user. See User Rights Management (URM)
• A valid AEMO-signed TLS certificate

To use the TLS Certificate Management application, you need the following:

• MarketNet AEMO's private VPN for Registered Participants. A network of more than 300 registered participants in the National Electricity Market, including market generators, transmission network service providers, distribution network service providers, and market customers. access
• URM credentials (see your Participant Administrator)
• The appropriate user rights entity assigned to the user. See User Rights Management (URM)

To use TLS certificates to connect to AEMO systems, you need:

• A valid AEMO-signed TLS certificate installed on your network or system to establish a TLS connection with AEMO.
• AEMO’s certificate authority (server, root and CA certificates) must be trusted by your systems stores (e.g. added to your trusted certificate authority stores and/or security policies) to trust communication from AEMO.

Environment Details

Pre-production

TLS Certificates created in the pre-production environment contain the "MOCK" suffix in the commonName and are mock certificates only. These certificates automatically expire after 10 days and cannot be used for accessing any AEMO systems.

Production

TLS Certificates created in the production environment contain either the "Prod" or "NonProd" suffix in the commonName depending on the environment entered in the API request. These certificates automatically expire after 3-years and are used for accessing MTLS-protected AEMO systems (both pre-production and production systems).

Non-prod certificates can only be used for accessing AEMO non-production systems (for example APIs on https://partner.api.preprod.aemo.com.au, https://apis.preprod.aemo.com.au:9319, or https://apis.preprod.marketnet.net.au:9319). You need to use a non-prod certificate to access AEMO non-production environments that are MTLS protected. The non-prod certificate is issued by the certificate authority AEMO-ICA-TEST G1.

Prod certificates can only be used for accessing AEMO production systems (for example APIs on https://partner.api.aemo.com.au, https://apis.aemo.com.au:9319, or https://apis.marketnet.net.au:9319). You need to use the prod certificate to access AEMO Production AEMO’s live system environments that are MTLS protected. The prod certificate is issued by the certificate authority AEMO-ICA-MARKET G1.

TLS Certificate Management interface

The TLS Certificate Management screen is accessed from the AEMO Markets Portal.

TLS Certificates are associated with an order. The screen displays all orders and associated TLS certificates for a Participant ID Registered participant identifier; A company can have more than one Participant ID..

Certificate orders are categorised by Current The participant can receive files compliant to the current aseXML version. orders (issued orders) and Obsolete orders (revoked orders and expired orders).

The colour code next to the order name indicates the primary certificate status:

• Green indicates the certificate is valid.

• Orange indicates the primary certificate expires in less than 90 days.

• Red indicates the certificate has expired.

• Grey indicates the certificate has been revoked.

Clicking on the accordion next to the order name displays the TLS certificates associated with the order. It provides information on the certificate common name, serial number, status, and expiry date Energy Rules Terms. The primary certificate is highlighted with a primary label.

The interface allows you to perform the following functions:

• Obtain a new certificate - Clicking Create Certificate in the upper right of the screen opens the Create Order screen. You provide the CSR Certificate Signing Request is a block of encoded text given to a Certificate Authority when applying for an SSL Certificate. It also contains the Public Key to include in the certificate. Usually, a Private Key is created at the same time, making a Key Pair. and select either Production or Pre-production AEMO’s test system available to participants to create the certificate for the selected environment.
  

Each Participant is limited to two valid or issued certificate orders. The button is disabled when there are two issued orders for the participant. Each participant should have one production certificate order and one non-production certificate order. If you create two orders for the same environment, you can contact Support Hub to request more orders for a different environment.

• Reissue a certificate - A TLS certificate reissue replaces your existing certificate with a new certificate or is duplicated (to increase security and make it easier to install the certificate on multiple servers). The old certificate can remain current and the original expiry date does not change.
• Renew a certificate - TLS certificate renewal replaces your existing soon-to-expire certificate with a new certificate and the expiry date is renewed for another 3 years. A TLS certificate can only be renewed if it is within 90-days of its expiry date which is indicated by an orange colour in the interface. The old certificate remains current until the expiry date is reached.
• Revoke a certificate - You can revoke your existing TLS certificate if it’s no longer required or when the certificate’s private key has been compromised. Once revoked, it cannot be used to access AEMO systems.
• Download an existing certificate - You can download the certificate in PEM, Apache, PKCS7 or CER format.

Subscribe to expiry notifications

To ensure you stay connected to MTLS-authenticated AEMO systems, you must renew your expiring TLS certificates and replace the old TLS certificate on your systems with the renewed TLS certificate. The timely replacement of your expiring TLS certificates is critical to ensure you do not become disconnected from the market.

To be reminded about soon-to-expire Certificates, you can subscribe to TLS Certificate expiry notifications in the Market Direct interface. To subscribe:

1. In the Markets Portal, navigate to EMMS > Market Info > Market Direct > Subscriptions.
2. Select the category Notifications and warnings and the contact to be notified.
3. Under the Type TLS certificate notifications, select the notification types.
4. Click Submit.

Notifications are sent to all subscribed users for a Participant’s TLS certificates at 90-days, 60-days, 30-days and 7-days and on the day of expiry. Notifications are only sent for issued certificates. Notifications are not sent for revoked and expired certificates.