The instance identity system in Diego provides each application instance with a PEM-encoded
X.509 certificate and PKCS#1 RSA private key. The values of the environment variables CF_INSTANCE_CERT and CF_INSTANCE_KEY contain the absolute paths to the certificate and private key files, respectively.
- The certificate's
Common Nameproperty is set to the instance guid. - The certificate contains an IP SAN set to the container IP address for the given app instance.
- For Cloud Foundry apps, the certificate's
Organizational Unitproperty is set to the stringapp:app-guid, whereapp-guidis the application guid assigned by Cloud Controller.
By default, the certificate is valid for the 24 hours after the container is created, but the Diego operator may control this validity period with the diego.executor.instance_identity_validity_period_in_hours BOSH property. The smallest allowed validity duration is 1 hour.
The Diego cell rep will supply a new certificate-key pair to the container before the end of the validity period. The new pair of files will replace the existing pair at the same path location, with each file being replaced atomically. If the validity period is greater than 4 hours, the pair will be regenerated between 1 hour and 20 minutes before the end of the validity period. If the validity period is less than or equal to 4 hours, the pair will be regenerated between 1/4 and 1/12 of the way to the end of the period.
Instance Identity is enabled by default in cf-deployment.
The CA certificate must have all the properties required to correctly sign other certificates:
Subject Key Identifiermust be set.KeyUsagemust includeKeyCertSign.- Intermediate CA certificates should either leave
ExtendedKeyUsageempty, or assign it theanyproperty.