Certificates on PCF
This topic describes the sources and uses for certificates to secure both internal and external networking calls in Pivotal Cloud Foundry (PCF).
Certificates in PCF originate from two of the following sources:
An enterprise root CA is able to grant itself a certificate and create subordinate CAs. Domains require an enterprise root CA to allow clients to request certificates.
Generating certificates against a root CA is a good implementation for systems that are static and do not need highly available certificate creation.
You can use CredHub as a source for certificates in PCF. These certificates can either be self-signed or signed by an imported trusted CA. Certificates are self-signed by default.
Use CredHub for the following benefits:
- High availability
- Dynamic generation of certificates
- More secure communication between platform components, applications, and services
Pivotal recommends using Credhub for high availability and good security posture in PCF.
For more information, see CredHub.