Pivotal Knowledge Base


Using Trusted CA SSL Certificate with HAProxy in Pivotal Cloud Foundry®


Describe how to generate and install SSL certificate for HAproxy in Pivotal Cloud Foundry® (PCF).


When you order a certificate from a well known certification authority, it should be a wildcard certificate. For example if you want to use the domain cf.foo.org, which would give you a Pivotal Cloud Foundry api of api.cf.foo.org and Apps Manager located at console.cf.foo.org

then you would want to purchase a wildcard certificate for cf.foo.org, or commonly displayed as *.cf.foo.org.

Follow the steps to generate private key and Certificate Signing Request which would be later used to generate a wildcard certificate for your PCF installation.

Generate private key. This can be done on any Mac/Linux machine.

openssl genrsa -des3 -out <private key file name>.key 2048

Generate Certificate Signing Request

openssl req -new -key <private key file name>.key -out <csr file name>.csr

Note: The last command will ask a number of questions on the name of the organization, location, and etc. One question of particular importance is the following:

Common Name (e.g. server FQDN or YOUR name) []:

Based on the  example above we would enter  *.cf.foo.org to answer that question.

Windows users can follow the following instructions:


Once the CSR is generated, you would submit the CSR to your certificate authority so that they can sign the certificate for you..  Once done, the CA will provide you with a copy of the signed certificate.

The signed certificate needs to be supplied on the HAProxy tab in Elastic Runtime tile. Copy the signed certificate into the SSL certificate box. In case there is an intermediary certificate, it should be pasted into the same box following your signed certificate. Finally, copy the private key generated in the previous step on your computer into the second box below.

Finally, on the Cloud Controller configuration page you’ll need to enter the system and application domains. Based on the example above, the following would be entered for system and app domain: cf.foo.org.


Powered by Zendesk