Providing a Certificate for Your TLS Termination Point

Page last updated:

This topic describes how to configure Transport Layer Security (TLS) termination for HTTP traffic in Pivotal Application Service (PAS) with a TLS certificate, as part of the process of configuring PAS for deployment.

Configure TLS Termination

When you deploy Pivotal Platform, you must configure the TLS termination for HTTP traffic in your PAS configuration. You can terminate TLS at all of the following points:

  • Load balancer
  • Load balancer and the Gorouter
  • The Gorouter

To choose and configure the TLS termination option for your deployment, see the TLS Termination Options for HTTP Routing section of the Securing Traffic into Cloud Foundry topic.

Note: If you are using HAProxy in a PCF deployment, you can choose to terminate SSL/TLS at HAProxy in addition to any of the SSL/TLS termination options above. For more information, see Configuring SSL/TLS Termination at HAProxy.

Obtain TLS Certificates

To secure traffic into Pivotal Platform, you must obtain at least one TLS certificate. For general certificate requirements for deploying Pivotal Platform, see Certificate Requirements.

For additional IaaS-specific certificate requirements:

Creating a Wildcard Certificate for Pivotal Platform Deployments

This section describes how to create or generate a certificate for your PAS environment. If you are deploying to a production environment, you should obtain a certificate from a trusted authority (CA).

For internal development or testing environments, you have two options for creating a required TLS certificates.

  • You can create a self-signed certificate, or
  • You can have PAS generate the certificate for you.

To create a certificate, you can use a wide variety of tools including OpenSSL, Java’s keytool, Adobe Reader, and Apple’s Keychain to generate a Certificate Signing Request (CSR).

In either case for either self-signed or trusted single certificates, apply the following rules when creating the CSR:

  • Specify your registered wildcard domain as the Common Name. For example, *.yourdomain.com.

  • If you are using a split domain setup that separates the domains for apps and sys components (recommended), enter the following values in the Subject Alternative Name of the certificate:

    • *.apps.yourdomain.com
    • *.sys.yourdomain.com
    • *.login.sys.yourdomain.com
    • *.uaa.sys.yourdomain.com
  • If you are using a single domain setup, use the following values as the Subject Alternative Name of the certificate:

    • *.login.sys.yourdomain.com
    • *.uaa.sys.yourdomain.com

    Note: TLS certificates generated for wildcard DNS records only work for a single domain name component or component fragment. For example, a certificate generated for *.EXAMPLE.com does not work for *.apps.EXAMPLE.com and *.sys.EXAMPLE.com. The certificate must have both *.apps.EXAMPLE.com and *.sys.EXAMPLE.com attributed to it.

Generating a RSA Certificate in PAS

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the Pivotal Application Service tile.

  3. Select Networking.

  4. Click Change underneath the Certificate and private key for HAProxy and Router fields, then click Generate RSA Certificate to populate the Certificate and private key for HAProxy and Router fields with RSA certificate and private key information.

  5. If you are using a split domain setup that separates the domains for apps and sys components (recommended), enter the following domains for the certificate:

    • *.yourdomain.com
    • *.apps.yourdomain.com
    • *.sys.yourdomain.com
    • *.login.sys.yourdomain.com
    • *.uaa.sys.yourdomain.com

    For example, *.example.com, *.apps.example.com, *.sys.example.com, *.login.sys.example.com, *.uaa.sys.example.com.

    At the top of the pop-up window is a teal checkmark and the words 'Generate RSA Certificate'. In the upper-right corner is a gray circle with a white X in the middle. Below 'Generate RSA Certificate' is a field labeled 'Example: *.app.domain.com, *.system.domain.com, *.my.webapp.com, *.domain.com, my.webapp.com, domain.com', with a red asterisk to denote that it is a required field. The field contains the text '*.apps.EXAMPLE.com, *.system.EXAMPLE.com'. Below this field are two buttons, a gray rectangular button labeled 'Cancel' and a blue rectangular button labeled 'Save'.