Providing a Certificate for Your SSL/TLS Termination Point

Page last updated:

This topic describes how to configure SSL/TLS termination for HTTP traffic in Pivotal Cloud Foundry (PCF) Elastic Runtime with an SSL certificate, as part of the process of configuring Elastic Runtime for deployment.

About SSL/TLS Termination in PCF Elastic Runtime

When you deploy PCF, you must configure the SSL/TLS termination for HTTP traffic in your Elastic Runtime configuration. You can terminate SSL/TLS at all of the following points:

  • Load balancer
  • Load balancer and Gorouter
  • Gorouter

For guidance on which SSL/TLS termination option to choose for your deployment, see Securing Traffic into Cloud Foundry.

Note: If you are using HAProxy in a PCF deployment, you can choose to terminate SSL/TLS at HAProxy in addition to any of the SSL/TLS termination options above. For more information, see Configuring SSL/TLS Termination at HAProxy.

Certificate Requirements for PCF

The following sections describe the IaaS-specific certificate requirements for deploying PCF.

Certificate Requirements on AWS

If you are deploying PCF on AWS, then the certificate that you configure in Elastic Runtime must match the certificate that you upload to AWS as a prerequisite to PCF deployment.

Certificate Requirements on GCP

If you are deploying PCF on GCP, then you must add your certificate to both the frontend configuration of your HTTP Load Balancer and to the Gorouter (Elastic Runtime Router). For more information, see Create Instance Groups and the HTTP(S) Load Balancer.

GCP load balancers actually forward both encrypted (WebSockets) and unencrypted (HTTP and TLS-terminated HTTPS) traffic to the Gorouter. When configuring the point-of-entry for a GCP deployment, select Forward SSL to Elastic Runtime Router in your Elastic Runtime network configuration. This point-of-entry selection accommodates this special characteristic of GCP deployments.

Creating a Wildcard Certificate for PCF Deployments

This section describes how to create or generate a certificate for your PCF Elastic Runtime environment. If you are deploying to a production environment, you should obtain a certificate from a trusted authority (CA).

For internal development or testing environments, you have two options for creating a required SSL certificates.

To create a certificate, you can use a wide variety of tools including OpenSSL, Java’s keytool, Adobe Reader, and Apple’s Keychain to generate a Certificate Signing Request (CSR).

In either case for either self-signed or trusted single certificates, apply the following rules when creating the CSR:

  • Specify your registered wildcard domain as the Common Name. For example, *.yourdomain.com.
  • If you are using a split domain setup that separates the domains for apps and system components (recommended), then enter the following values in the Subject Alternative Name of the certificate:
    • *.apps.yourdomain.com
    • *.system.yourdomain.com
    • *.login.system.yourdomain.com
    • *.uaa.system.yourdomain.com
  • If you are using a single domain setup, then use the following values as the Subject Alternative Name of the certificate:

    • *.login.system.yourdomain.com
    • *.uaa.system.yourdomain.com

    Note: SSL certificates generated for wildcard DNS records only work for a single domain name component or component fragment. For example, a certificate generated for *.EXAMPLE.com does not work for *.apps.EXAMPLE.com and *.system.EXAMPLE.com. The certificate must have both *.apps.EXAMPLE.com and *.system.EXAMPLE.com attributed to it.

Generating a RSA Certificate in Elastic Runtime

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the Elastic Runtime tile in the Installation Dashboard.

  3. Click Networking.

  4. Click Generate RSA Certificate to populate the Certificate and Private Key for HAProxy and Router fields with RSA certificate and private key information.

  5. If you are using a split domain setup that separates the domains for apps and system components (recommended), then enter the following domains for the certificate:

    • *.yourdomain.com
    • *.apps.yourdomain.com
    • *.system.yourdomain.com
    • *.login.system.yourdomain.com
    • *.uaa.system.yourdomain.com

    For example, *.example.com, *.apps.example.com, *.system.example.com, *.login.system.example.com, *.uaa.system.example.com

    Generate cert

Create a pull request or raise an issue on the source for this page in GitHub