Configuring Trusted System Certificates for Applications

The following mechanisms exist to provide trusted certificates to applications running on Cloud Foundry:

  • For the cflinuxfs3 or cflinuxfs2 stack, you can install the trusted certificates directly into the system trust store at /etc/ssl/certs. In the deployment manifest, set the cflinuxfs3-rootfs.trusted_certs or cflinuxfs2-rootfs.trusted_certs property of the stack release’s cflinuxfs3-rootfs-setup or cflinuxfs2-rootfs-setup job to the concatenated values of the PEM-encoded CA certificates.

    For example:

    properties:
      cflinuxfs3-rootfs:
        trusted_certs: |
          -----BEGIN CERTIFICATE-----
          (contents of certificate #1)
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          (contents of certificate #2)
          -----END CERTIFICATE-----
    

  • You can also present trusted certificates to all application instances, including those based on Docker images and those on Windows.

    To do so, provide the concatenated PEM-encoded CA certificates in the containers.trusted_ca_certificates BOSH properties on rep and rep_windows jobs for the Diego release. This property accepts a list of string values, and each string may contain one or more PEM-encoded X.509 certificates.

    The individual certificates in this property appear as separate files in the /etc/cf-system-certificates directory in Linux containers, and in the %USERPROFILE%/etc/cf-system-certificates directory in Windows 2012 containers.

    For example:

    properties:
      containers:
        trusted_ca_certificates:
          - |
            -----BEGIN CERTIFICATE-----
            (contents of certificate #1)
            -----END CERTIFICATE-----
          - |
            -----BEGIN CERTIFICATE-----
            (contents of certificate #2)
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            (contents of certificate #3)
            -----END CERTIFICATE-----
    

Create a pull request or raise an issue on the source for this page in GitHub