ministryofjustice · ben-madley-mt · Dec 17, 2024 · Dec 16, 2024 · Dec 16, 2024 · Dec 16, 2024
diff --git a/docs/guides/setting-up-a-new-consumer.md b/docs/guides/setting-up-a-new-consumer.md
@@ -5,7 +5,10 @@ To enable a consumer to access our API, they need:
 - a client certificate for mutual TLS with a Subject Distinguished Name(SDN) and Common Name (CN) that matches the authorisation allow list configuration in the application
 - an API key
 
-per environment.
+per environment. This document is split into two parts:
+
+1. Generate credentials for the consumer
+2. Send the credentials to the consumer
 
 ## Prerequisites
 
@@ -17,7 +20,9 @@ As a pre-requisite to create a client certificate by running the script below, p
 - You are logged in so that you can access AWS resources via the CLI.
 - Verify that you have all your AWS credentials ready by opening the config file in the ".aws" directory.
 
-## Create a client certificate
+## 1. Generate credentials for the consumer
+
+### Create a client certificate
 
 Run the [generate-client-certificate.sh](/scripts/client_certificates/generate.sh) script with the name of the environment and client.
 
@@ -31,10 +36,9 @@ This will output three files in the ./scripts/client_certificates directory:
 - a certificate signing request (CSR) e.g. `dev-nhs-client.csr`
 - a client certificate (public key) e.g. `dev-nhs-client.pem`
 
-The private key and public key can be shared with the consumer.
-The private key must be kept secret and the public key can be shared freely.
+The private key must be kept secret and the public key can be shared freely. We share these (along with the API key created below) by encrypting them with a key generated by the consumer.
 
-## Create an API key
+### Create an API key
 
 Within the [Cloud Platform Environments GitHub repository](https://github.com/ministryofjustice/cloud-platform-environments/tree/main) and the namespace of the environment:
 
@@ -69,7 +73,7 @@ kubectl -n hmpps-integration-api-[environment] get secrets consumer-api-keys -o
 # E.g. kubectl -n hmpps-integration-api-dev get secrets consumer-api-keys -o json | jq -r '.data.bob'
 ```
 
-## Configure allowed endpoints for the consumer
+### Configure allowed endpoints for the consumer
 
 Add your client common name to the ./src/main/resources/application-[environment].yaml, listing the paths that the new client is allowed to consume.
 It is important that the name of the client matches the common name exactly.
@@ -80,7 +84,7 @@ To view the common name of the client certificate that was just generated, run:
 openssl x509 -in ./scripts/client_certificates/[environment]-[consumer]-client.pem -text |grep Subject |grep CN
 ```
 
-## Send the credentials to the consumer
+## 2. Send the credentials to the consumer
 
 Retrieve the client api key
 
@@ -120,13 +124,6 @@ tar cvfz hmpps-integration-api-preprod.tar.gz preprod/preprod-client.key preprod
 openssl enc -aes-256-cbc -pbkdf2 -iter 310000 -md sha256 -salt -in hmpps-integration-api-preprod.tar.gz -out hmpps-integration-api-preprod.tar.gz.enc -pass file:./symmetric.key
 ```
 
-…and encrypt the symmetric key using the client's supplied public key
-
-```bash
-# Encrypt with client's public key
-openssl pkeyutl -encrypt -pubin -inkey hmpps-integration-api-cred-exchange-public-key.pem -in symmetric.key -out symmetric.key.enc
-```
-
 We can now send the **encrypted** symmetric key (`symmetric.key.enc`) and **encrypted** access credentials (`hmpps-integration-api-preprod.tar.gz.enc`) to the client via email. The client may now decrypt the symmetric key using their private key and subsequently the access credentials using the symmetric key
 
 ```Bash