Providing a Certificate for Your TLS Termination Point
Page last updated:
This topic describes how to configure Transport Layer Security (TLS) termination for HTTP traffic in Pivotal Application Service (PAS) with a TLS certificate, as part of the process of configuring PAS for deployment.
Configure TLS Termination
When you deploy Pivotal Platform, you must configure the TLS termination for HTTP traffic in your PAS configuration. You can terminate TLS at all of these points:
- Load balancer
- Load balancer and the Gorouter
- The Gorouter
To choose and configure the TLS termination option for your deployment, see TLS Termination Options for HTTP Routing in Securing Traffic into PAS.
Note: If you are using HAProxy in a PAS deployment, you can choose to terminate SSL/TLS at HAProxy in addition to any of the SSL/TLS termination options above. For more information, see Configuring SSL/TLS Termination at HAProxy.
Obtain TLS Certificates
To secure traffic into Pivotal Platform, you must obtain at least one TLS certificate. For general certificate requirements for deploying Pivotal Platform, see Certificate Requirements in Securing Traffic into PAS.
For additional IaaS-specific certificate requirements:
Create a Wildcard Certificate for Pivotal Platform Deployments
This section describes how to create or generate a certificate for your PAS environment. If you are deploying to a production environment, you should obtain a certificate from a trusted Certificate Authority (CA).
For internal development or testing environments, you have two options for creating a required TLS certificates:
- You can create a self-signed certificate, or
- You can have PAS generate the certificate for you.
To create a certificate, you can use a wide variety of tools including OpenSSL, Java’s keytool, Adobe Reader, and Apple’s Keychain to generate a Certificate Signing Request (CSR).
In either case for either self-signed or trusted single certificates, apply these rules when creating the CSR:
Specify your registered wildcard domain as the
Common Name
, whereDOMAIN
is your registered wildcard domain. For example,*.DOMAIN.com
.Pivotal recommends using a split domain configuration that separates the domains for
apps
andsys
components. To use a split domain configuration, enter these values in theSubject Alternative Name
of the certificate, whereDOMAIN
is your registered wildcard domain:*.apps.DOMAIN.com
*.sys.DOMAIN.com
*.login.sys.DOMAIN.com
*.uaa.sys.DOMAIN.com
If you are using a single domain configuration, use these values as the
Subject Alternative Name
of the certificate, whereDOMAIN
is your registered wildcard domain:*.login.sys.DOMAIN.com
*.uaa.sys.DOMAIN.com
Note: TLS certificates generated for wildcard DNS records only work for a single domain name component or component fragment. For example, a certificate generated for
*.DOMAIN.com
does not work for*.apps.DOMAIN.com
and*.sys.DOMAIN.com
. The certificate must have both*.apps.DOMAIN.com
and*.sys.DOMAIN.com
attributed to it.
Generate an RSA Certificate in PAS
To generate an RSA certificate in PAS:
Navigate to the Pivotal Operations Manager Installation Dashboard.
Click the PAS tile.
Select Networking.
Under Certificate and private keys for the Gorouter and HAProxy:
- Under Certificate and private key, click Change.
- Click Generate RSA Certificate to populate the Certificate and private key fields with RSA certificate and private key information.
Pivotal recommends using a split domain configuration that separates the domains for
apps
andsys
components. To use a split domain configuration, enter these following domains for the certificate, whereDOMAIN
is your registered wildcard domain:*.DOMAIN.com
*.apps.DOMAIN.com
*.sys.DOMAIN.com
*.login.sys.DOMAIN.com
*.uaa.sys.DOMAIN.com