Custom Certificate Authorities
Page last updated:
This topic provides an overview of using custom certificate authorities (CAs) in a Pivotal Platform deployment.
To secure traffic in your Pivotal Platform deployment, you must provide a CA to issue digital certificates. This can be either a Pivotal-generated or custom CA. When you add and activate a new CA, a digital certificate is issued to BOSH Director. BOSH Director then passes the certificate to other components in your Pivotal Platform deployment.
Pivotal recommends you supply a CA from a trusted provider when using a production environment. While you can create your own custom CAs if necessary, a trusted CA is more secure because it has been authenticated by the trusted entities permitted to issue them.
Note: Elliptic Curve Digital Signature Algorithm (ECDSA) certificates are not supported in Pivotal Platform.
You can add a new custom CA as part of the procedure for rotating CAs and other certificate types in Pivotal Platform. To add and activate a new custom CA in Pivotal Platform, see Rotate Root and Leaf Certificates in Rotating Certificates.