CloudFoundry SSL Root CA Certs

Often, I’m asked about configuring a private or custom SSL Root CA Certificate Bundle into Cloud Foundry applications. There are a handful of ways to yield that result, here are some notes around how that might work.

Below is the approach to addressing the self-signed certificates invalid certificate error in your applications. Ultimately, you need to make the requesting client aware of the Root CA which signed the certificate you are consuming. We will do this by adding the private Root cA to the keystore within the JVM running inside the buildpack.

  1. You need to fork the buildpack into a source control system
  2. There are a set of build tasks which you should leverage to run these commands
  3. Execute the keytool commands to build a cacert bundle with your Root CA pub inside
  4. Add this to the <buildpack>/resources/lib/security ($JAVA_HOME/jre/lib/security) path inside the buildpack
  5. Stackato push your application with this specific buildpack referenced
  6. Validate the private root ca was accepted by the application in logs

I have an open question to the CF community: #java-buildpack channel to explain what some of the values are in:

Also, I researched using Forward Proxy configurations on the F5 to solve this problem, but it was way more complicated that it needed to be.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.