trusted-system-certificates.html.md.erb

---
title: Configuring trusted system certificates for applications
---

The following mechanisms exist to provide trusted certificates to applications running on Cloud Foundry:

- For the `cflinuxfs3` stack, you can install the trusted certificates
directly into the system trust store at `/etc/ssl/certs`. In the deployment manifest, set
the `cflinuxfs3-rootfs.trusted_certs` property of the stack release's
`cflinuxfs3-rootfs-setup` job to the concatenated values of the PEM-encoded CA
certificates.
<br><br>
For example:
  <pre>
    properties:
      cflinuxfs3-rootfs:
        trusted_certs: |
          -----BEGIN CERTIFICATE-----
          (contents of certificate #1)
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          (contents of certificate #2)
          -----END CERTIFICATE-----
  </pre>

- You can also present trusted certificates to all application instances, including those based on Docker images and those on Windows.
<br><br>
To do so, provide the concatenated PEM-encoded CA certificates in the `containers.trusted_ca_certificates` BOSH properties on `rep` and `rep_windows` jobs for the Diego release. This property accepts a list of string values, and each string may contain one or more PEM-encoded X.509 certificates.
<br><br>
The individual certificates in this property appear as separate files in the `/etc/cf-system-certificates` directory in Linux containers, and in the `%USERPROFILE%/etc/cf-system-certificates` directory in Windows 2012 containers.
<br><br>
For example:
  <pre>
    properties:
      containers:
        trusted_ca_certificates:
          - |
            -----BEGIN CERTIFICATE-----
            (contents of certificate #1)
            -----END CERTIFICATE-----
          - |
            -----BEGIN CERTIFICATE-----
            (contents of certificate #2)
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            (contents of certificate #3)
            -----END CERTIFICATE-----
  </pre>