Common SSL/TLS configuration
The following data services support SSL/TLS plans and share a common configuration interface for x509 certificates:
An x509 certificate for SSL service instances can be deployed in several ways. The following list is specified in order of preference, so that - if specified - a "user provided certificate" will be used before a "configured wildcard certificate". In other words, if a user has specified a certificate for a particular SSL service instance, they have to delete the certificate before another certificate can be deployed to the service instance.
Certificate Usage Order
- User provided certificate
- Configured wildcard certificate
- Generated certificate with a configured intermediate certificate
- Self-signed certificate
User Provided Certificates
The user can provide their own certificate as a parameter in the call to
cf create-service or
cf update-service. See app developer documentation.
A platform operator can define wildcard certificates in a deployment manifest (e.g.
rabbitmq-service.yml). These are used when the user doesn't provide their own certificates (see User Provided Certificates).
... properties: ... rabbitmq-spi: wildcard: ca: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- cert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
NOTE Please note that the supplied key must not be encrypted! If your intermediate CA's key is encryped with a password, please provide the decrypted version of the key. If you supply an encrypted key, you should see an error message similar to this:
$ cf create-service a9s-rabbitmq37 rabbitmq-single-small-ssl rabbitmq1 Creating service instance rabbitmq1 in org test / space test as admin... Service broker error: Neither PUB key nor PRIV key: nested asn1 error FAILED
TLS Certificate Creation
A data service can either create self signed certificates or create certificates derived from an intermediate certificate. For the latter the customer has to configure an intermediate certificate with their private key.
... properties: ... rabbitmq-spi: intermediate-ca: cert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
NOTE Please note that the supplied key must not be encrypted! (see above)
A supported data service instance using an SSL plan will create its own self-signed certificate, if no user leaf certificates or certificate authorities have been supplied.