LATEST VERSION: 1.10 - CHANGELOG
Pivotal Cloud Foundry v1.7

Providing a Certificate for your SSL Termination Point

Page last updated:

This topic describes the procedure for providing Pivotal Cloud Foundry (PCF) Elastic Runtime with an SSL certificate, as part of the process of configuring Elastic Runtime for deployment. See Getting Started with Pivotal Cloud Foundry for help installing PCF on your IaaS of choice.

Navigate to Elastic Runtime Networking Configuration

  1. Navigate to the Pivotal Cloud Foundry Operations Manager Installation Dashboard.

  2. Click the Elastic Runtime tile in the Installation Dashboard.

  3. Select Networking.

Configure Router or HAProxy SSL Termination

Configure for a Production Deployment

  1. Under Configure the point-of-entry to this environment, choose one of the following:

    • External Load Balancer with Encryption: Select this option if your deployment uses an external load balancer that can forward encrypted traffic to the Elastic Runtime Router.
    • HAProxy: Select this option to use HAProxy as your first point of entry.
  2. Enter your PEM encoded certificate and your PEM encoded private key in the fields under SSL Termination Certificate and Private Key. If your deployment is on AWS, this certificate must match the one that you uploaded to AWS earlier in the Upload an SSL Certificate section of the Deploying the CloudFormation Template for PCF on AWS topic. Ssl termination

    Note: Certificates generated in Elastic Runtime are signed by the Operations Manager Certificate Authority. They are not technically self-signed, but they are sometimes referred to as ‘Self-Signed Certificates’ in the Ops Manager GUI and throughout this documentation.

  3. (HAProxy Only) Select Disable HTTP traffic to HAProxy if you want HAProxy to only allow HTTPS traffic.

  4. Configure SSL Ciphers. Leave these fields blank unless you want to use a specific set of SSL ciphers for the Router or HAProxy. Enter a colon-separated list of custom SSL ciphers to pass to the Router or HAProxy.

Configure for a Development or Testing Deployment

  1. Under Configure the point-of-entry to this environment, choose one of the following:
    • External Load Balancer with Encryption: Select this option if your deployment uses an external load balancer that can forward encrypted traffic to the Elastic Runtime Router.
    • HAProxy: Select this option to use HAProxy as your first point of entry.
  2. Click Generate RSA Certificate for the Pivotal certificate authority to generate a certificate with the RSA certificate wizard. You may need to click Change to populate the UI with the Generate RSA Certificate text button.
  3. Enter your system and app domains in wildcard format. Optionally, also add custom domains in wildcard format. You can generate a single certificate for two domains separated by a comma, such as *.apps.YOUR-DOMAIN.com, *.system.YOUR-DOMAIN.com. The example below uses *.YOUR-DOMAIN.com. Generate cert

    Note: SSL certificates generated for wildcard DNS records only work for a single domain name component or component fragment. For example, a certificate generated with *.YOUR-DOMAIN.com does not work for apps.YOUR-DOMAIN.com and system.YOUR-DOMAIN.com. The certificate must have both apps.YOUR-DOMAIN.com and system.YOUR-DOMAIN.com attributed to it.

  4. Click Generate to populate the SSL Certificate fields with RSA certificate and private key information.

  5. (HAProxy Only) Select Disable HTTP traffic to HAProxy if you want HAProxy to only allow HTTPS traffic.

  6. Configure SSL Ciphers. Leave these fields blank unless you want to use a specific set of SSL ciphers for the Router or HAProxy. Enter a colon-separated list of custom SSL ciphers to pass to the Router or HAProxy.

  7. If you expect requests larger than the default maximum of 16 Kbytes, enter a new value (in bytes) for Request Max Buffer Size. You may need to do this, for example, to support apps that embed large cookie or query string values in headers.

  8. Click Save.

Create a pull request or raise an issue on the source for this page in GitHub