CredHub Credential Types

Page last updated:

Warning: Pivotal Cloud Foundry (PCF) v2.4 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes the different credential types supported by CredHub.

CredHub supports different types of credentials to simplify generating and managing multi-part credentials. For example, a TLS certificate contains three parts: the root certificate authority (CA), the certificate, and the private key. CredHub supports all three parts, which helps keep connection requests from being rejected erroneously.

CredHub supports the following credential types:

Type Description
value A single string value for arbitrary configurations and other non-generated or validated strings.
json An arbitrary JSON object for static configurations with many values.
user Three string values for username, password, and password hash.
password A single string value for passwords and other random string credentials. Values for this type can be automatically generated.
certificate An object containing a root CA, certificate, and private key. Use this type for key pair applications that utilize a certificate, such as TLS connections. Values for this type can be automatically generated.
rsa An object containing an RSA public key and private key without a certificate. Values for this type can be automatically generated.
ssh An object containing an SSH-formatted public key and private key. Values for this type can be automatically generated.

Each credential type supports distinct parameters for customizing how credentials are generated. These include minimum password lengths, required characters, and certificate fields. For more information, see the Generate Credentials section of the CredHub API documentation.

For every credential type, secret values are encrypted before storage. For instance, the private key of a certificate-type credential and the password of a user-type credential are encrypted before storage. For JSON and Value type credentials, the full contents are encrypted before storage.