Certificates on PCF

This topic describes the sources and uses for certificates to secure both internal and external networking calls in Pivotal Cloud Foundry (PCF).

Certificate Sources

Certificates in PCF originate from two of the following sources:

Enterprise Root CA

An enterprise root CA is able to grant itself a certificate and create subordinate CAs. Domains require an enterprise root CA to allow clients to request certificates.

Generating certificates against a root CA is a good implementation for systems that are static and do not need highly available certificate creation.


You can use CredHub as a source for certificates in PCF. These certificates can either be self-signed or signed by an imported trusted CA. Certificates are self-signed by default.

Use CredHub for the following benefits:

  • High availability
  • Dynamic generation of certificates
  • More secure communication between platform components, applications, and services

Pivotal recommends using Credhub for high availability and good security posture in PCF.

For more information, see CredHub.

Create a pull request or raise an issue on the source for this page in GitHub