Certificates on Pivotal Platform

This topic describes the sources and uses for certificates to secure both internal and external networking calls in Pivotal Platform.

Certificate Sources

Certificates in Pivotal Platform originate from two of the following sources:

Enterprise Root CA

An enterprise root CA is able to grant itself a certificate and create subordinate CAs. Domains require an enterprise root CA to allow clients to request certificates.

Generating certificates against a root CA is a good implementation for systems that are static and do not need highly available certificate creation.


You can use CredHub as a source for certificates in Pivotal Platform. These certificates can either be self-signed or signed by an imported trusted CA. Certificates are self-signed by default.

Use CredHub for the following benefits:

  • High availability
  • Dynamic generation of certificates
  • More secure communication between platform components, applications, and services

Pivotal recommends using Credhub for high availability and good security posture in Pivotal Platform.

For more information, see CredHub.