Configuring Trusted System Certificates for Applications

The following mechanisms exist to provide trusted certificates to applications running on Cloud Foundry:

  • For the cflinuxfs2 stack, you can install the trusted certificates directly into the system trust store at /etc/ssl/certs. In the deployment manifest, set the cflinuxfs2-rootfs.trusted_certs property of the cflinuxfs2 release’s cflinuxfs2-rootfs-setup job to the concatenated values of the PEM-encoded CA certificates.

    For example:

    properties:
    cflinuxfs2-rootfs:
    trusted_certs: |
      -----BEGIN CERTIFICATE-----
      (contents of certificate #1)
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      (contents of certificate #2)
      -----END CERTIFICATE-----
    

  • You can also present trusted certificates to all application instances, including those based on Docker images and those on Windows.

    To do so, provide the concatenated PEM-encoded CA certificates in the diego.rep.trusted_certs BOSH propert on rep and rep_windows jobs for the Diego release, or in the global properties section of the deployment manifest.

    The individual certificates in this property appear as separate files in the /etc/cf-system-certificates directory.

    For example:

    properties:
    diego:
    rep:
      trusted_certs: |
        -----BEGIN CERTIFICATE-----
        (contents of certificate #1)
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        (contents of certificate #2)
        -----END CERTIFICATE-----
    

Create a pull request or raise an issue on the source for this page in GitHub