SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES

Page last updated:

PCF Compliance

PCF PAS is compliant with all the technical controls stated or implied in this requirement.

For all but one function, PCF allows the deployer to supply enterprise-issued or enterprise-provisioned certificates. For the specific case of the “non-configurable” Ops Manager certificates, the deployer may not use their own CA but may rotate the internally generated certificates via an API.

For more information on Ops Manager certificate rotation see: https://docs.pivotal.io/pivotalcf/security/pcf-infrastructure/api-cert-rotation.html

For more information on configuring certificates for TLS termination at the CF router see: https://docs.pivotal.io/pivotalcf/customizing/config-er-vmware.html#networking

Certificates used by the IPsec BOSH Add-on are supplied by the deployer. For more information on IPsec certificate management see: https://docs.pivotal.io/addon-ipsec/credentials.html

Beginning with release version 2.0, PCF uses CredHub to manage all platform credentials. For more information on CredHub see:


Control Description

The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.

Supplemental Guidance

For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services.