LATEST VERSION: 1.9 - CHANGELOG
Pivotal Cloud Foundry v1.9

Providing a Certificate for Your SSL/TLS Termination Point

Page last updated:

This topic describes how to configure SSL/TLS termination for HTTP traffic in Pivotal Cloud Foundry (PCF) Elastic Runtime with an SSL certificate, as part of the process of configuring Elastic Runtime for deployment.

About SSL/TLS Termination in PCF Elastic Runtime

When you deploy PCF, you must configure the SSL/TLS termination for HTTP traffic in your Elastic Runtime configuration. You can terminate SSL/TLS at any one of the following entry points into PCF:

  • Gorouter
  • Load balancer and Gorouter
  • Load balancer
  • HAProxy

The following table summarizes SSL/TLS termination options in PCF and provides guidance on which option to choose for your deployment.

If the following applies to you: Then terminate SSL/TLS at: Related topic and configuration procedure:
  • You want the most performant and recommended option, and
  • You can use a single SAN certificate for your deployment for your wildcard domains.
Gorouter only.

Select the Forward SSL to Elastic Runtime Router in your Elastic Runtime network configuration.
Terminating SSL/TLS at the Gorouter Only
  • You cannot use a single SAN certificate for all system and application domains for your deployment, or
  • You require Extended Validation (EV) certificates.
Load balancer only.

Select the Forward unencrypted traffic to Elastic Runtime Router
Terminating SSL/TLS at the Load Balancer
  • You want a higher level of security, and
  • You do not mind a slightly less performant deployment, and
  • You can use a single SAN certificate on the Gorouter, either for all system and application domains (but with a different key than for the same certificates hosted on your load balancer) or for a single domain (but with hostname verification disabled on the load balancer).
Load balancer and Gorouter.

Select the Forward SSL to Elastic Runtime Router in your Elastic Runtime network configuration.
Terminating SSL/TLS at Gorouter and Load Balancer
  • You can use a single SAN certificate for your deployment for your wildcard domains, and
  • You are deploying a test or development environment, or
  • You do not mind a slightly less performant deployment.
HA Proxy.

Select the Forward SSL to HA Proxy.
Terminating SSL/TLS at HA Proxy

Certificate Requirements for PCF

The following list describes the certificate requirements for deploying PCF.

  • You must obtain at least one SSL/TLS certificate for your environment.
    • In a production environment, use a signed SSL/TLS certificate (trusted) from a known certificate authority (CA).
    • In a development or testing environment, you can use a trusted CA certificate or a self-signed certificate. You can generate a self-signed certificate with openssl or a similar tool, or use the Elastic Runtime Ops Manager interface to generate a certificate for you.

      Note: Certificates generated in Elastic Runtime are signed by the Ops Manager Certificate Authority. They are not technically self-signed, but they are sometimes referred to as “Self-Signed Certificates” in the Ops Manager UI and throughout this documentation.

  • Certificates used in PCF must be encoded in the PEM format.
  • When you generate a certificate, save the private key used to generate your certificate in a safe place. You must upload its contents to the Elastic Runtime networking configuration.
  • The certificate on the Gorouter must be associated with the correct hostname so that HTTPS can validate the request.
  • If wildcard certificates are not supported for some or all of your domains, then configure termination requests at the load balancer only. In this type of deployment, the load balancer passes unencrypted traffic to the Gorouter. As a result, you avoid having to reissue and reinstall certificates on the Gorouter for every app or UAA security zone.
  • Extended Validation (EV) certificates support multiple hostnames, like SAN, but do not support wildcards. For this reason, if EV certificates are required, then terminate TLS/SSL at the load balancer only for the same reason stated above. You can avoid having to reissue and reinstall certificates on the Gorouter for every app or UAA security zone.

Certificate Requirements on AWS

If you are deploying PCF on AWS, then the certificate that you configure in Elastic Runtime must match the certificate that you upload to AWS as a prerequisite to PCF deployment. For more information, see the Upload an SSL Certificate section of the Deploying the CloudFormation Template for PCF on AWS topic.

Certificate Requirements on GCP

If you are deploying PCF on GCP, then you must add your certificate to both the frontend configuration of your HTTP Load Balancer and to the Gorouter (Elastic Runtime Router). For more information, see Create Instance Groups and the HTTP(S) Load Balancer.

GCP load balancers actually forward both encrypted (WebSockets) and unencrypted (HTTP and TLS-terminated HTTPS) traffic to the Gorouter. When configuring the point-of-entry for a GCP deployment, select Forward SSL to Elastic Runtime Router in your Elastic Runtime network configuration. This point-of-entry selection accommodates this special characteristic of GCP deployments.

Creating a Wildcard Certificate for PCF Deployments

This section describes how to create or generate a certificate for your PCF Elastic Runtime environment. If you are deploying to a production environment, you should obtain a certificate from a trusted authority (CA).

For internal development or testing environments, you have two options for creating a required SSL certificates.

To create a certificate, you can use a wide variety of tools including OpenSSL, Java’s keytool, Adobe Reader, and Apple’s Keychain to generate a Certificate Signing Request (CSR).

In either case for either self-signed or trusted single certificates, apply the following rules when creating the CSR:

  • Specify your registered wildcard domain as the Common Name. For example, *.yourdomain.com.
  • If you are using a split domain setup that separates the domains for apps and system components (recommended), then enter the following values in the Subject Alternative Name of the certificate:
    • *.apps.yourdomain.com
    • *.system.yourdomain.com
    • *.login.system.yourdomain.com
    • *.uaa.system.yourdomain.com
  • If you are using a single domain setup, then use the following values as the Subject Alternative Name of the certificate:

    • *.login.system.yourdomain.com
    • *.uaa.system.yourdomain.com

    Note: SSL certificates generated for wildcard DNS records only work for a single domain name component or component fragment. For example, a certificate generated for *.EXAMPLE.com does not work for *.apps.EXAMPLE.com and *.system.EXAMPLE.com. The certificate must have both *.apps.EXAMPLE.com and *.system.EXAMPLE.com attributed to it.

Generating a RSA Certificate in Elastic Runtime

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the Elastic Runtime tile in the Installation Dashboard.

  3. Click Networking.

  4. Click Generate RSA Certificate to populate the Router SSL Termination Certificate and Private Key fields with RSA certificate and private key information.

  5. If you are using a split domain setup that separates the domains for apps and system components (recommended), then enter the following domains for the certificate:

    • *.yourdomain.com
    • *.apps.yourdomain.com
    • *.system.yourdomain.com
    • *.login.system.yourdomain.com
    • *.uaa.system.yourdomain.com

    For example, *.example.com, *.apps.example.com, *.system.example.com, *.login.system.example.com, *.uaa.system.example.com

    Generate cert

Was this helpful?
What can we do to improve?
View the source for this page in GitHub