Certificates on Pivotal Platform
This topic describes the sources and uses for certificates to secure both internal and external networking calls in Pivotal Platform.
Certificates in Pivotal Platform originate from two of the following sources:
An enterprise root CA is able to grant itself a certificate and create subordinate CAs. Domains require an enterprise root CA to allow clients to request certificates.
Generating certificates against a root CA is a good implementation for systems that are static and do not need highly available certificate creation.
You can use CredHub as a source for certificates in Pivotal Platform. These certificates can either be self-signed or signed by an imported trusted CA. Certificates are self-signed by default.
Use CredHub for the following benefits:
- High availability
- Dynamic generation of certificates
- More secure communication between platform components, applications, and services
Pivotal recommends using Credhub for high availability and good security posture in Pivotal Platform.
For more information, see CredHub.