Pivotal Cloud Foundry® (PCF) All versions
The purpose of this article is to help the reader how to check the domain and subject alt names listed on the SSL/TLS certificate for your PCF installation.
Checking Cert Info
If you wish to check what domain names you have loaded in your cert you can do so by running the following command:
Checking cert file
openssl req -in your.csr -noout -text
The output will display details on your domain.
Checking cert via your api
openssl s_client -connect api.system.10.x.x.x:443
openssl s_client -connect api.system.yourdomain.com:443 -state -debug >ssl-debug.txt
Check your cert via a Browser
Browse to you Domain api.your-domain.com in your browser, clicking on the lock icon and check the cert's detailed are correct?
Checking your SAN (Subject Alternative Name)
You may need to check that your Cert has all the necessary SAN's loaded.
You can run the following command to check this.
echo -n | openssl s_client -connect "api.systemDomain.example.com:443" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text | grep "DNS:"
You will see something like the following in the output.
Internally Signed Certs/Self-Signed Certs: If your environment is not publicly facing you can use Self-Signed Certs. Configuring your private browsers to accept your own Certificates as trusted. A Self-Signed CA is not publicly trusted but is configured to trust all of the company's computers or networks. This is a common situation for large companies.
Publicly Signed Certs: If you are serving Public internet traffic you should use Publicly signed Certs generated using a CA (Certification Authority). As this will prevent browsers generating certificate error when accessing your apps. A CA issues digital certificates that are trusted by default in browsers. So when accessing your App's users will not get any SSL/Certificate errors.
Please refer to the following links for more information on Configuring Certificates of PCF: