Skip to content

Installing Certificates on VMs


This feature is available with bosh-release v176+ (1.2992.0) and stemcells v2992+.

This document describes how to configure the Director to add a set of trusted certificates to all VMs managed by that Director. Configured trusted certificates are added to the default certificate store on each VM and will be automatically seen by the majority of software (e.g. curl).

Configuring Trusted Certificates

To configure the Director with trusted certificates:

  1. Change deployment manifest for the Director to include one or more certificates:

        trusted_certs: |
          # Comments are allowed in between certificate boundaries
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
          # Some other certificate below
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
  2. Redeploy the Director with the updated manifest.


    Currently only VMs managed by the Director will be updated with the trusted certificates. The Director VM will not have trusted certificates installed.

  3. Redeploy each deployment to immediately update deployment's VMs with trusted certificates. Otherwise trusted certificate changes will be picked up next time you run bosh deploy for that deployment.

    bosh deployment ~/deployments/cf-mysql.yml
    bosh deploy
    bosh deployment ~/deployments/cf-rabbitmq.yml
    bosh deploy

Configuration Format

The Director allows to specify one or more certificates concatenated together in the PEM format. Any text before, between and after certificate boundaries is ignored when importing the certificates, but may be useful for leaving notes about the certificate purpose.

Providing multiple certificates makes downtimeless certificate rotation possible; however, it involves redeploying the Director and all deployments twice -- first to add a new certificate and second to remove an old certificate.