Custom Certificate Authorities

Page last updated:

This topic provides an overview of using custom certificate authorities (CAs) in a Pivotal Platform deployment.


To secure traffic in your Pivotal Platform deployment, you must provide a CA to issue digital certificates. This can be either a Pivotal-generated or custom CA. When you add and activate a new CA, a digital certificate is issued to BOSH Director. BOSH Director then passes the certificate to other components in your Pivotal Platform deployment.

VMware recommends you supply a CA from a trusted provider when using a production environment. While you can create your own custom CAs if necessary, a trusted CA is more secure because it has been authenticated by the trusted entities permitted to issue them.

Note: Elliptic Curve Digital Signature Algorithm (ECDSA) certificates are not supported in Pivotal Platform.

Add a Custom CA

You can add a new custom CA as part of the procedure for rotating CAs and other certificate types in Pivotal Platform. To add and activate a new custom CA in Pivotal Platform, see Rotating CAs and Leaf Certificates.