Configuring Trusted System Certificates for Applications

Page last updated:

There are two different mechanisms to provide trusted certificates to applications running on Cloud Foundry:

  1. For the cflinuxfs2 stack, the trusted certificates may be installed directly into the system trust store at /etc/ssl/certs. In the deployment manifest, set the cflinuxfs2-rootfs.trusted_certs property of the cflinuxfs2 release’s cflinuxfs2-rootfs-setup job to the concatenated values of the PEM-encoded CA certificates. For example:

    
    properties:
      cflinuxfs2-rootfs:
        trusted_certs: |
          -----BEGIN CERTIFICATE-----
          (contents of certificate #1)
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          (contents of certificate #2)
          -----END CERTIFICATE-----
    

  2. Additionally, trusted certificates may be presented to all application instances, including those based on Docker images and those on Windows. To do so, provide the concatenated PEM-encoded CA certificates in the diego.rep.trusted_certs BOSH property (on both the Diego release’s rep and rep_windows jobs or in the global properties in the deployment manifest). The individual certificates in this property will appear as separate files in the /etc/cf-system-certificates directory. For example:

    
    properties:
      diego:
        rep:
          trusted_certs: |
            -----BEGIN CERTIFICATE-----
            (contents of certificate #1)
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            (contents of certificate #2)
              -----END CERTIFICATE-----
    

Create a pull request or raise an issue on the source for this page in GitHub