Certificate Types

This topic describes the types of certificates used in Pivotal Cloud Foundry (PCF) that require planned rotation.


PCF uses a root Certificate Authority (CA) and various leaf certificates. Root CAs are self-signed certificates that issue leaf certificates. Root CAs can be generated by Pivotal or custom.

Leaf certificates are signed by a CA and are used to identify resources in PCF. Both root CAs and leaf certificates require planned rotation in PCF.

Certificate Types

The following types of PCF certificates require planned rotation:

  • Ops Manager Root CA: The Ops Manager root CA issues other certificates that PCF uses. The root CA can be a Pivotal-generated CA or your own custom CA. For more information about viewing the root CAs for Ops Manager, see Listing the Root Certificate Authorities.

  • Non-configurable Certificates: Non-configurable certificates are leaf certificates either created by a CA stored in Ops Manager, or created and stored by CredHub and managed by Ops Manager calls to the CredHub API. Non-configurable certificates are issued directly by the Ops Manager root CA, or by intermediate CAs in a chain of trust originated by the root CA. Non-configurable certificates expire after two years. For more information about about viewing non-configurable leaf certificates, see Getting Information About Certificates for Products. For more information about generating non-configurable leaf certificates, see Generating New Certificates.

  • Configurable Certificates: Configurable certificates are leaf certificates supplied by the user and pasted into configuration fields in Ops Manager. Some configuration panes include a Generate RSA Certificate button that supplies valid certificates, but users can obtain configurable certificates from elsewhere. Configurable certificates generated by Ops Manager typically expire after two years. For more information about viewing configurable leaf certificates, see Getting Information About Certificates for Products.

  • Non-rotatable Certificates: Non-rotatable certificates are leaf certificates that, like non-configurable certificates, are issued by the root CA. Unlike non-configurable certificates, non-rotatable certificates cannot be rotated by the Ops Manager API. For more information about viewing non-rotatable leaf certificates, see Getting Information About Certificates for Products.

In addition to the types of certificates listed above, some Pivotal products issue their own tile certificates that are not managed by or visible to the Ops Manager API. These tile certificates do not require planned rotation because they rotate automatically with product upgrades.

Pivotal Application Service (PAS) and Pivotal Container Service (PKS) both use tile certificates in addition to their Ops Manager certificates.

Create a pull request or raise an issue on the source for this page in GitHub