CloudFoundry SSL Root CA Certs
Often, I’m asked about configuring a private or custom SSL Root CA Certificate Bundle into Cloud Foundry applications. There are a handful of ways to yield that result, here are some notes around how that might work.
Below is the approach to addressing the self-signed certificates invalid certificate error in your applications. Ultimately, you need to make the requesting client aware of the Root CA which signed the certificate you are consuming. We will do this by adding the private Root cA to the keystore within the JVM running inside the buildpack.
- You need to fork the buildpack into a source control system
- There are a set of build tasks which you should leverage to run these commands
- Execute the keytool commands to build a cacert bundle with your Root CA pub inside
- Add this to the <buildpack>/resources/lib/security ($JAVA_HOME/jre/lib/security) path inside the buildpack
- Stackato push your application with this specific buildpack referenced
- Validate the private root ca was accepted by the application in logs
Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates. The keytool…docs.oracle.com
Learn how to add a certificate authority (CA) certificate to the Java CA certificate (cacerts) store for Twilio service…azure.microsoft.com
I have an open question to the CF community: #java-buildpack channel to explain what some of the values are in:
java-buildpack - Cloud Foundry buildpack for running Java applicationsgithub.com
Also, I researched using Forward Proxy configurations on the F5 to solve this problem, but it was way more complicated that it needed to be.