Skip to main content
Version: Develop

User Provided Certificates

By default - if no certificates have been provided by the Application Developer - the certificates configured by the Platform Operator are used. However, when creating or updating a service instance using a TLS/SSL service plan, it is possible to provide your own X.509 certificate.

This section describes how an Application Developer can provide their own certificates - from here on called user provided certificates - for a service instance using a TLS/SSL service plan of an a9s Data Service.

Please be aware that different services may have special limitations which are described explicitly in the Limitations section.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Requirements

When you want to configure your own certificates for your service instance, you need the following properties

PropertyNote
certificateThe single certificate (server/leaf certificate) that is used for the service instance. The X.509 certificate MUST be in PKCS#1 format and PEM encoded.
private_keyThe private key for the certificate. The private key MUST be in PKCS#1 format and PEM encoded. The private key MUST NOT be encrypted.
caThe ordered certificate chain for the certificate. The individual X.509 certificates MUST be in PKCS#1 format and PEM encoded. The first certificate MUST be the CA certificate that signed the certificate in certificate. The last certificate MUST be the root CA certificate. The certificate chain can also only consist of the root CA.

Common Name And Subject Alternative Name

The Common Name (CN) of the user provided certificates MUST be set to *.node.dc1.<iaas.consul.domain>. The Subject Alternative Name (SAN) of the user provided certificates MUST contain the DNS name entries *.node.dc1.<iaas.consul.domain> and *.service.dc1.<iaas.consul.domain>. This is needed as it is used to verify all internal communication between the cluster nodes. Furthermore as the service instance hostnames are propagated to the applications, via the service bindings, they provide a way to verify the server they are connecting to.

In the example below, it is possible to see the hostnames of a9s Search cluster service instance; which MUST be covered in the user provided certificates as stated above.

d75caca-os-0.node.dc1.<iaas.consul.domain>
d75caca-os-1.node.dc1.<iaas.consul.domain>
d75caca-os-2.node.dc1.<iaas.consul.domain>
d75caca.service.dc1.<iaas.consul.domain>

All a9s Data Services with a vendored dashboard MUST contain these additional SAN entries:

  • *.<dashboad_hostname>.<iaas.cf.system_domain>
  • *.<iaas.cf.system_domain>.

This affects the following a9s Data Services:

  • a9s Messaging
    • <dashboad_hostname> = a9s-rabbitmq-dashboard
  • a9s LogMe2
    • <dashboad_hostname> = a9s-logme2-dashboard
note

The <iaas.consul.domain> and <iaas.cf.system_domain> are part of the environment configuration and it is set by the Platform Operator during the environment installation. Please contact your Platform Operator for more information.

Configuration of User Provided Certificates

caution

A service instance can only be configured with user provided certificates during its creation.

You can use the cf create-service command with the -c parameter when using the cf CLI to provide a file containing the TLS/SSL specific configuration parameters in a valid JSON object. Optionally you can provide these parameters as a valid escaped JSON object string. Following best practices, we recommend using a JSON file to provide these parameters.

The TLS/SSL specific configuration parameters that must be specified using the -c parameter are:

KeyValueDescription
tls.<cert_name>.certificateA PEM-encoded X.509 certificateThe leaf certificate to be deployed to your service instance.
tls.<cert_name>.private_keyA private keyThe private key for the certificate specified in tls.<cert_name>.certificate.
tls.<cert_name>.caA PEM-encoded X.509 certificateThe CA certificate with which your certificate has been or will be signed.

The placeholder <cert_name> in the TLS/SSL specific configuration is Data Service specific and the following values are required for the individial Data Service:

Data ServiceCertificate Names
a9s KeyValuevalkey
a9s LogMe2opensearch, opensearch_dashboards, fluentd
a9s MariaDBclient, server
a9s Messagingrabbitmq
a9s MongoDBmongodb
a9s MySQLclient, server
a9s PostgreSQLpostgresql
a9s Redisredis
a9s Searchopensearch
info

You can use the same certificate, private_key and ca for multiple service instances, and in the case of a9s LogMe2 and a9s MariaDB even for the different use cases in the same service instance.

Example

In the following example, we will create an a9s PostgreSQL Service Instance using an SSL plan and a X.509 certificate. First we will have a look at the structure of the required JSON file and its content. Keep in mind that the content must be valid JSON and therefore you need to escape the PEM encoded X.509 certificate file or private key; which you can do, for example, by using awk:

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <path to your PEM-encoded certificate file>

The JSON file should look like the example below:

{
"tls": {
"postgresql": {
"ca": "-----BEGIN CERTIFICATE-----\nMIIFbjCCA1YCCQCjw+EXPZsMZjANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJE\nRTERMA8GA1UECAwIU2FhcmxhbmQxFTATBgNVBAcMDFNhYXJicnVlY2tlbjEWMBQG\nA1UECgwNYW55bmluZXMgR21iSDELMAkGA1UECwwCRFMxGjAYBgNVBAMMEXRlc3Qu\nYW55bmluZXMuY29tMCAXDTIyMDcyODEwMjk1OFoYDzIwNTAwODEwMTAyOTU4WjB4\nMQswCQYDVQQGEwJERTERMA8GA1UECAwIU2FhcmxhbmQxFTATBgNVBAcMDFNhYXJi\ncnVlY2tlbjEWMBQGA1UECgwNYW55bmluZXMgR21iSDELMAkGA1UECwwCRFMxGjAY\nBgNVBAMMEXRlc3QuYW55bmluZXMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\nMIICCgKCAgEA7KwHFPQrW9oqzheKK2Vo0TqEexlmN92v6u7Rn6FIZD4FFOPqyg9q\n1P/FQld3UUaMio6l7wxyCCzojB5cWpcBrWWb6Lcr4e0aXLOi8B6vVixKftZt0jcE\nQCv8nPHacYcHXw4LwhVMVedXvhwtLbopRVOuRdbdLkfWujew1gnafQ/C2+7ozv7Z\n/1ADXCREjQ4KlPnn1d87ZK7muR4TjZFEh0ZZ7gA3UjimywzQw8wCUIMBXDH8OInr\nYKHY4+yyq7oaliM68H7WYfJURSQZ/Zv1jVCYLs1AXXWMYSy4hnbzGdLrOfg62Lcc\noYrnJc6yV4e0xOXniCYCy9TxOD5kwXkm3yKO+adpD3TR7BqLCKG9KyN9Ih8vrQlC\ni4azZnMQ2EGlEDoV6wN35etEMocC4hB8TRUYQ1KY3TTVSKb9wPAn/4cAuh6F+cPK\nmq19D+z+PWlVaQHwPFwO2p2koTIycd6gjctHlGS/lAWPsoI1nnTtZ2u5PX3r5/B0\n144XuFTDNmI+7ch3jcggIU6hWcWd4qZ++UE1LltuhTGpzqPw/3Vt9TNSkTvpy8B/\nasZPKPZiDkwFsQQY385dtvkCobpJYNC3wtHnr/t4q+gklYR5mO4xMDgNf+bKjTuI\n0Iut0Aj+0uoJxFvTTfLM4EtPLlW2z7YPkY0A4+OaFV8LjPO1ZPyFyrMCAwEAATAN\nBgkqhkiG9w0BAQsFAAOCAgEAfLXs0mymh4jdUc/ghOdXQFkCqMg5E5wSWlfEgzC0\n8oJwAw4TLjynvrMpZtms6DWf0o63NtrNoQPMcJ6+R8oD3Vqn7Q7BDR+F+cKg2c0e\n44xocV5o5vX8xwZ63GScS+ZSIunGvP537XV5Lzyv3dI9e+qjs893mzgAO02ACT34\nTXlDn/bTKAmOOqRaj6yP2HsInCsJetB5pHi3R3buyy9DbAXt6qtt+eySv1U7JU81\nipMoUbv2PdLLfgfJOVGCldpduOwsyFTwHB78MBiT755QWBalYJ/sw47OaYSDFKCX\nmdO913OpXkUZfF3l4l/CkXEUsY6+pMSCoguwgwln3eVPfmNjqG4LtZGOgKMepmcG\nkRNSGsvVKXglcIsPgogkOxUf569FEK5kEtYw0cMn8MCrv358H1xUFXVcitSLKpGM\n3klsZ1tU/ZnwxbSLcuozHhd+YOjy9KSRmUZCA+ORKVhrweWpugbnv0ZRKzXGLC9a\ny1Rj//v5jWMiEAyZNjeSnCNfLx3jlovR3SjcnZZFrVidQi8cZCnAMzzVArnHi/FI\nxpkP5EAqh8q7DmrMY5X11eEuyCmbgPmjji/IVcOJ3NC9hZeOIiSazU3CvDEX6Blm\nmL/NTgnwTnQn5dKSahQgLtFaIve4VNP4aPFXgGdYScd6U8Luo34tD1EWg45kXnkG\nA38=\n-----END CERTIFICATE-----\n",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIEaTCCAlECCQCjNrxOOvCTgzANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJE\nRTERMA8GA1UECAwIU2FhcmxhbmQxFTATBgNVBAcMDFNhYXJicnVlY2tlbjEWMBQG\nA1UECgwNYW55bmluZXMgR21iSDELMAkGA1UECwwCRFMxGjAYBgNVBAMMEXRlc3Qu\nYW55bmluZXMuY29tMB4XDTIyMDcyODEwMzE0N1oXDTM2MDQwNTEwMzE0N1owdTEL\nMAkGA1UEBhMCREUxETAPBgNVBAgMCFNhYXJsYW5kMRUwEwYDVQQHDAxTYWFyYnJ1\nZWNrZW4xFjAUBgNVBAoMDWFueW5pbmVzIEdtYkgxCzAJBgNVBAsMAkRTMRcwFQYD\nVQQDDA4qLmFueW5pbmVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBALBfuvTiCfj0eJ03UaDLPT91qpZvsvKeML9TZ5C5MKG5kOp4GbAl+qcg9SEY\nouYD1niKfrpi2CN1iT7xVhJTQImSxfQO0GXumGlOz/PwCvBm2bTHBzBZl389sDGA\n6od00ailkv1On4DBfMD6okEWgWyWLZ8PdMDcat0SoKxwt4P4ddtvhtYNSNtiM7Po\nag1Lv0Ocha6B1kD8GbJY/murLrCW7ZBUF3i2p075imfEwJiu9U34t79rnPhzaHAX\nshL9VAEFidNAXahK4q2EudjFum+Bd5Ud0EdIfzz1Dn9EUYfFn0mPF+CCfIu1x8n6\nFOwz5Q/0+NRAIHAy9waB8vmP/e8CAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAwfkC\nH9e8eQX22gpzCp282YFbCq5Zl0eKONZ3hDm0G+ej1hVUIomKVrwJdz8fcYSf5KZw\nn95HuMPNL5w8SgJ3gR5ZNegWlNYL/sKhIk3NDSyv6helSs6dbufy2CMXg51jlpUp\nJWy4Xa4VLv5kPHxi5gZili4eYCh9Z97kxb8K6P3wXnUOhpyOj4LvzyIwXIxG7gXj\nfp0sQ5+GrlwBhNKnPnF3h8fWU4iQjiRp9hwixKO2uetyc3t47U4FBT4NyYuvGbR/\nVYlekHPCCFn7o31p1VJ/qYGqaMoZEfJZv6t2w9WMf4BpNXnyJ1TFCRSJ0QtZC35E\n4ZuHf9O4rVIBTQL0G7edHbXpxUh0au6uvk8Z0QtwDi8p+1gCg85DICUOmqPxALGi\nDzMjDApWMWyru5PeAC6BnVWuF/Gwhq46X4roQZJLke8eAIdYbptCAltuwlIz1foj\n2DsRESyzcyzk/wziSg3Ai42r1dEODcMd3Na0339EpdG/lbK4+hzPcC4Tv/iUH1Xh\nGnyuH+gi40+92VDSGbvFLTlb/alNBY3TWAjJMCrhE3WgcxVTdFkBS/gV3bPghhaw\nVL/2Nv7oTllDWwAZoJ/WKKu0s1a129iwIJ0xkK0NlDkY13DgTQIngZiXTi3Nq9ct\nB4O8e7EElIvg+68UN7u3nyGI9yzVHqoBHjzwIcw=\n-----END CERTIFICATE-----\n",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAsF+69OIJ+PR4nTdRoMs9P3Wqlm+y8p4wv1NnkLkwobmQ6ngZ\nsCX6pyD1IRii5gPWeIp+umLYI3WJPvFWElNAiZLF9A7QZe6YaU7P8/AK8GbZtMcH\nMFmXfz2wMYDqh3TRqKWS/U6fgMF8wPqiQRaBbJYtnw90wNxq3RKgrHC3g/h122+G\n1g1I22Izs+hqDUu/Q5yFroHWQPwZslj+a6susJbtkFQXeLanTvmKZ8TAmK71Tfi3\nv2uc+HNocBeyEv1UAQWJ00BdqErirYS52MW6b4F3lR3QR0h/PPUOf0RRh8WfSY8X\n4IJ8i7XHyfoU7DPlD/T41EAgcDL3BoHy+Y/97wIDAQABAoIBAD8x7dD0dNJI9jaO\nrabJa6ajSH4ig6G+4ISNI9yNHkm0LaJ1ae7djNP5URuMskFsOppyNTofVIZQBN8S\npd5nCgbBGkB6Vl1PgjipToV/CsxcbcECVycR0uB6f/kc0eu7BaxBt0sfsrL1oPec\nViqwH6uCm9IUPack0v1nQT7IHFkiQwE9Sg8FDgXoUtaIbzb7oRd/dFStUap6lrvC\nNscjpItU0m9hdwTRUqjqv/Cg066TdYEFdtdL9F8oOtsu0Ix3SkQY3xkUS+9z0FZC\nljHOv3nzLIOBnn0BfXqy2am/evwkwOw8PzDp5RP6FStEWJgwzINvPD77fMrhy511\ndYhtDsECgYEA1jpMlKSYJ674z07Dqk1wuM/joY8EZHRVnp7kWtzOtHcRZjG1Ab/R\nzvEtDr09t1mgBHfC0xTFkzntTj3hTMuKNmqP0ycPL/k5HGdGyCuW7Al7JLweUlbN\nNEG/adxn5EI9QFjs7RmfVFDBlc8yUbwIZSmSyqb5b4fjB77I/6me+n8CgYEA0sPd\n8btgiQl0yZmAsu9hAnMbE3rPB/cfIWoYGN7KNY2xEuQKcW0v2z3th0td44KdxwiL\nlY26V1USzY/MbnHRBGOZw6WBQNSYw9TfjMN6XVv84KGXv7cM31rhsascvY7L+SX/\nKsk69jEQZaPlnRGsPoHkVOBgZnySlXpW6L0V5JECgYBhpVEir6Nq8yYV2CD3jzTC\nCIAJM9ccsqoUEvijMeJF/7++hQmsMnK/kM6o2Tk4SXHWl4AGFoG4Cb9Q2oPHLT9i\nblAAPt19UGvntmtc8gFotSmcJOLtRQNjvlQxPHVeZZLlsaLMr9Ef7W9PiZG2D68D\n7V8rX9ByNc4VybB0WCxOoQKBgQCo83fbyh/FWj4zSQjA52E1bH387Io/UVq0F27/\nqMAhk9apVQIGEMe3EPpyZPj7Yn4FyZTTKsyAK2MqQyZWNoid4xWknuxwwrs+6ErX\ndO+HHTEmBIM3nI4GEb0wBgHA9lIOA+Z7LtpD9eq1/18VvM/9P3SAkWjVXvDGQE6g\nvMpq8QKBgEaFtGhwuPe5/j6HsOJPvOgMPjM3LdQ18nO/NVDNQE8A0KftCdaioAy8\n5wGi2lDy1zmb+dZEMR9rEZpemNeE4jHSMOOPSwz4ZAhb2xpKymbtl/cwSrkiFeoh\n5SCm+DPRKOnxsj+NC4U9/Js8YwribuEI4MOdlOjM/hNxseDCEguE\n-----END RSA PRIVATE KEY-----\n"
}
}
}

You can use the following command to create a service instance with the mentioned JSON file:

cf create-service a9s-postgresql13 postgresql-single-small-ssl my-pg -c ssl_config.json

Creating service instance my-pg in org organization / space test as user@example.com...
OK

Create in progress. Use 'cf services' or 'cf service my-pg' to check operation status.

Rotation of User Provided Certificates

Leaf Certificate Rotation

As certificates for service instances with SSL plans expire, there is a need to rotate them regularly, and user provided leaf certificates are not an exception. The rotation of the user provided leaf certificate and its key can be done by following these steps.

caution

This will only work if the current CA certificate is valid, not expired and it is used to sign the new leaf certificate. This process may cause some downtime in single deployments, as the service instances are updated with the certificate information. If the CA is still valid, there is no downtime on cluster deployments.

danger

Providing your own certificates allows you to be more in control, but in exchange you are responsible for the rotation, since the automation doesn't work with this option, as it will return the same certificate each time it is executed. Additionally the forced rotation functionality is not supported for user provided certificates.

Step 1: Update the leaf certificate

First, add the new leaf certificate and the corresponding private key to your JSON file. Ensure that these are properly parsed, as mentioned before. Your config file should look like:

{
"tls": {
"postgresql": {
"ca": "<old_ca>",
"certificate": "<new_leaf_certificate>",
"private_key": "<new_private_key>"
}
}
}

Step 2: Redeploy your service instance

You can apply the new leaf certificate and private key to your SSL service instance by executing the following command:

cf update-service my-pg -c updated_ssl_config.json

CA Certificate Rotation

Just as Leaf certificates expire for service instances with SSL plans, so do CA certificates. Unfortunately the rotation of a CA certificate is not as easy as the rotation of a leaf certificate because simply replacing it will lead to broken clustered service instances.

To update the service we recommend to use the following method for a rotation with minimal downtime.

Step 1: Append the new CA to the old CA

Concatenate the old and the new CA (first old CA, then new CA) and store it in a temporary file to make it easier to parse them properly. This allows the service instance's nodes and the clients to trust the wildcard certificate presented by the service instance that can be either signed by the new or the old CA.

Add the concatenated CAs to your JSON file. Ensure that these are properly parsed as mentioned before. Your config file should look like:

{
"tls": {
"postgresql": {
"ca": "<concatenated_cas>",
"certificate": "<leaf_certificate>",
"private_key": "<private_key>"
}
}
}

Step 2: Roll out both, the old and the new CA, to your service service instance

You can apply the concatenated CAs to your SSL service instance by executing the following command:

cf update-service my-pg -c updated_ssl_config.json
Renew Service Bindings

Before proceeding with the next step, all service bindings MUST be renewed to propagate the new CA to the clients, unless the new CA is already trusted by the client's runtime.

Step 3: Replace the leaf certificate

Add the new leaf certificate and the corresponding private key to your JSON file. Ensure that these are properly parsed, as mentioned before. Your config file should look like:

{
"tls": {
"postgresql": {
"ca": "<concatenated_cas>",
"certificate": "<new_leaf_certificate>",
"private_key": "<new_private_key>"
}
}
}

Step 4: Roll out the new leaf certificate to your service instance

You can apply the new leaf certificate and private key to your SSL service instance by executing the following command:

cf update-service my-pg -c updated_ssl_config.json

Step 5: Remove the old CA

Add the new and only the new CA to your JSON file. Ensure that these are properly parsed, as mentioned before. The old CA is no longer needed since all existing service instances are only using the new wildcard certificate that is signed by the new CA.

{
"tls": {
"postgresql": {
"ca": "<new_ca>",
"certificate": "<new_leaf_certificate>",
"private_key": "<new_private_key>"
}
}
}

Step 6: Roll out only the new CA to each service instance

You can apply the concatenated CAs to your TLS/SSL service instance by executing the following command:

cf update-service my-pg -c updated_ssl_config.json
Renew Service Bindings

Before proceeding with the next step, all service bindings MUST be renewed to propagate the new CA to the clients, unless the new CA is already trusted by the client's runtime.

Limitations

Deleting User Provided Certificates

The deletion of user provided certificates is not supported by the a9s Data Services Framework. As a consequence, if you want to use certificates provided by the Platform Operator you have to create a new service instance using a TLS/SSL service plan and migrate your data.

Migrating User Provided Certificates

The a9s Data Services Framework does not support the certificate migration for a service instance using a TLS/SSL service plan from user provided certificates to certificates provided by the Platform Operator and vice versa.

Limitations for MariaDB

MariaDB 10.4 has a pre-defined structure for how it expects the different certificates. While the structure is described in length in the vendors' documentation, for our intents and purposes, this is the most relevant piece of information:

There are three certificates that you need to create in order to secure Galera Cluster: the Certificate Authority (CA) key and cert; the server certificate, to secure mysqld activity and replication traffic; and the client certificate to secure the database client and stunnel for state snapshot transfers.

Due to the nature of our automation, you have to specify a different certificate for client and intercluster.

Limitations for OpenSearch

OpenSearch expects that the certificates' private keys are in the format PKCS#8. This restriction applies when user provided certificates are using.

You can check the vendor's documentation for more information: