Re: SSL termination for private domains


+1 to user provided certs for private domains. Today, we use multiple vips with diff certs or our main vip with a cert that has multiple SANs.

Our goal is for cf operators to really be out of the way for app specific concerns and we view the certs and private domains (vanity dns names) as an application concern.

Having this ability provides immense value to us.


On Sep 20, 2016, at 8:03 PM, Shannon Coen <scoen(a)> wrote:

Carlo, Mike, others,

Do you store certs in the LB config itself, or federate/offload TLS termination to some secure store? I'm thinking about storing user-provided certs in the Routing API and offering them to routers/LBs from there. Would we instead have to send the certs to some other proprietary system from where the router/LB would have to pull from?

I've heard a few requests for integrating with systems that store the certs so that the routers don't have access to the keys.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Tue, Sep 20, 2016 at 5:44 PM, Carlo Alberto Ferraris <carlo.ferraris(a)> wrote:
thanks for keeping the ball rolling!
For the TLS termination part we are currently using a setup very similar to the one described by Mike. We sit behind a bunch of SLBs that handle termination for us. The main difference is that we're moving out of the "one VIP per cert" model Mike describes to "one SNI VIP for all certs" - a choice we made exactly to keep options open when it comes to automating this process.
The biggest pain comes from the fact that the SLB in our organization is handled by a different team and that therefore every cert add/update/delete operation requires a manual operation spanning three teams (application team, our team, SLB team); in the worst cases such operations can take days. We may be different in this from other CF operators, but this situation happens fairly frequently.
To put it simply, if CF (gorouter or a different component) had a way to dynamically apply certificates specified by the users (and operators) we would gladly switch away from our current setup.
We were also considering (idea stage, nothing really planned yet) using either nginx or a custom-built TLS terminator for this very purpose (the main reason we're considering something custom built is because it's somewhat hard to get session ticket key rotation right with nginx when you have multiple servers) - but if something functionally equivalent were to appear upstream we would definitely prefer it.

I hope everything makes sense, if not I'll gladly answer any question you may have.

Thanks for looking into this!


Join { to automatically receive all group messages.