This article explains how to check the domain and subject alt names listed on the SSL/TLS certificate for Tanzu Platform for Cloud Foundry.

All versions

Checking Cert Info

If you wish to check what domain names you have loaded in your certificate, you can run the following command:

openssl req -in your.csr -noout -text

The output will display details on your domain.

Checking Cert Info via API

To retrieve information about your Cert via your API, run one of the following commands:

openssl s_client -connect api.<SYSTEM_DOMAIN>:443 -state -debug >ssl-debug.txt 

Check Cert Info via a Browser

Browse to you Domain api.<SYSTEM_DOMAIN> in your browser, click on the lock icon, and check the Cert's details.

Checking your Subject Alternative Name (SAN)

You may need to check that your Cert has all the necessary SAN's loaded. To do this, run the following command:

echo -n | openssl s_client -connect "api.<SYSTEM_DOMAIN>:443" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text | grep "DNS:"

You will see something similar to the following output:

DNS:*.uaa.<SYSTEM_DOMAIN>,
DNS:*.login.<SYSTEM_DOMAIN>,
DNS:*.<SYSTEM_DOMAIN> 

Additional Information

Internally Signed Certs/Self-Signed Certs

A Self-Signed CA is not publicly trusted but is configured to trust all of the company's computers or networks. This is a common situation for large companies. If your environment is not publicly facing you can use Self-Signed Certs. Configuring your private browsers to accept your own Certificates as trusted. 

Publicly Signed Certs

If you are serving Public internet traffic you should use Publicly signed Certs generated using a CA (Certification Authority). This will prevent browsers generating certificate error when accessing your apps. A CA issues digital certificates that are trusted by default in browsers. So when accessing your App's users will not get any SSL/Certificate errors.