Using Instance Identity credentials

Page last updated:

The Instance Identity system provides each app instance with a unique PEM-encoded X.509 certificate and PKCS#1 RSA private keypair that encodes its identity in the Cloud Foundry deployment.

The environment variable CF_INSTANCE_CERT contains the absolute path to the certificate. The environment variable CF_INSTANCE_KEY contains the absolute path to the key file. The provided certificate has the following properties:

• The Common Name property is set to the instance GUID for the given app instance.
• The certificate contains an IP SAN set to the container IP address for the given app instance.
• The certificate contains a DNS SAN set to the instance GUID for the given app instance.
• The Organizational Unit property in the certificate’s Subject Distinguished Name contains the values organization:ORG-GUID, space:SPACE-GUID, and app:APP-GUID. The ORG-GUID, SPACE-GUID, and APP-GUID are set to the GUIDs for the organization, space, and app as assigned by Cloud Controller.

By default, the certificate is valid for 24 hours after the container is created. The Cloud Foundry platform operator can decrease this duration to as little as 1 hour by setting the diego.executor.instance_identity_validity_period_in_hours BOSH property.

The Diego Cell rep supplies a new certificate and private keypair to the app instance before the end of the validity period. The new pair of files replaces the existing pair at the same path locations, with each file replaced atomically.

• If the validity period exceeds 4 hours, the pair regenerates between 1 hour and 20 minutes before the end of the validity period.
• If the validity period is less than or equal to 4 hours, the pair regenerates between ¼ and 1/12 of the time to the end of the period.

For more information about enabling and configuring the Instance Identity system in Cloud Foundry, see Enabling Instance Identity.