Pivotal Knowledge Base


How to use multiple TLS/SSL certificates


Product Version
Pivotal Cloud Foundry® (PCF) 1.6.x


This article will explain how to allow the use of two domains using individual TLS/SSL certificates . For example, you have certificate A for *.system.my-domain.com and certificate B for *.apps.my-domain.com.

One use case for using multiple certificates is that certificates with multiple subject alt-names are expensive, especially when the subject alt-names are for a wildcard certificate.


You will need to configure two load balancers, one for each domain where you will place your SSL/TLS certificates, one on each load balancer.

When the external load balancer terminates the SSL connection, the only part of the system affected is the external load balancer. The request then goes from the external load balancer to the gorouter using either HTTP or HTTPS.

HTTP: These unencrypted connections should just work without making any configuration changes.

HTTPS: An illustration is shown below:


In this configuration, your load balancer terminates TLS and passes unencrypted traffic to the router, which routes it to your app. Traffic between the load balancer and the router is not encrypted. Configure your load balancer to append the X-Forwarded-For and X-Forwarded-Proto.

You would need to have an internal SSL/TLS certificate for your gorouters (this is needed for the gorouter configuration in Ops Manager, please click here [1] for more information). The external load balancer would need to trust the internal certificate used by gorouter and again, it would need to make a new HTTPS request to the gorouter.

The downside of this is that there's some extra SSL overhead. For additional information, please refer to Section 3 and 4 here.[2] 

1. http://docs.pivotal.io/pivotalcf/1-6/customizing/custom-load-balancer.html

2. https://docs.pivotal.io/pivotalcf/1-6/adminguide/securing-traffic.html




Powered by Zendesk