Pivotal Knowledge Base

Follow

How to Check the domain and subject alt names listed on the SSL/TLS certificate for your PCF installation

Environment

Product Version

Pivotal Cloud Foundry® (PCF)

All versions 

Purpose

The purpose of this article is to help the reader how to check the domain and subject alt names listed on the SSL/TLS certificate for your PCF installation.

Checking Cert Info

If you wish to check what domain names you have loaded in your cert you can do so by running the following command.
 
Checking cert file

openssl req -in your.csr -noout -text

The output will display details on your domain.
 
Checking cert via your api
openssl s_client -connect api.system.10.x.x.x:443 

or

openssl s_client -connect api.system.yourdomain.com:443 -state -debug >ssl-debug.txt

Check your cert via a Browser
Browse to you Domain api.your-domain.com in your browser, clicking on the lock icon and check the cert's detailed are correct?
 
Checking your SAN (Subject Alternative Name)
You may need to check that your Cert has all the necessary SAN's loaded.
You can run the following command to check this.
 
echo -n | openssl s_client -connect "api.systemDomain.example.com:443" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text | grep "DNS:"

You will see something like the following in the output.

DNS:*.uaa.systemDomain.example.com,

DNS:*.login.systemDomain.example.com,

DNS:*.systemDomain.example.com 

Additional Information

Internally Signed Certs/Self-Signed Certs: If you environment is not publicly facing you can use Self-Signed Certs. Configuring your private browsers to accept your own Certificates as trusted. An Self-Signed CA is not publicly trusted but is configure to trust all of the company's computers / networks. This is a common situation for large companies.

Publicly Signed Certs: If you are serving Public internet traffic you should use Publicly signed Certs generated using a CA (Certification Authority). As this will prevent browsers generating certificate error when accessing your apps. A CA issues digital certificates that are trusted by default in browsers. So when accessing your App's users will not get any SSL/Certificate errors. 

Please refer to the following links for more information on Configuring Certificates if PCF.

1. https://docs.pivotal.io/pivotalcf/1-8/opsguide/security_config.html

2. http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html

3. https://docs.oracle.com/javase/6/docs/technotes/guides/net/proxies.html

4. http://docs.pivotal.io/pivotalcf/1-9/adminguide/securing-traffic.html

5. https://docs.pivotal.io/pivotalcf/1-7/opsguide/custom-load-balancer.html

6. https://discuss.pivotal.io/hc/en-us/articles/230613767-How-To-Trust-Public-IP-Ranges-as-Trusted-Proxies-in-Elastic-Runtime

 

Comments

Powered by Zendesk