Stark & Wayne

BOSH + UAA with Signed Certificates - Part I

Pivotal has done a great job with documenting adding UAA as the authentication and authorization for BOSH instead of relying on local BOSH accounts. This allows you to later integrate with LDAP or SAML later on.

The instructions have you generate a series of unsigned certs which works great except now you have to use the --ca-cert parameter and paste your rootCA.pem file constantly. But what if you got your hands on some signed certificates and keys? For one, you won't need to specify the --ca-cert parameter everywhere.

Single Level Signed Cert

We'll assume the following:

Below are the modifications to the tutorial found at if you have a signed single level root and key:

3 - Add uaa section to the deployments manifest:

    url: ""

6 - Change Director configuration to specify how to contact the UAA server and how to verify an access token. Since UAA will be on the same server we can use the same IP as the one used for the Director.

      provider: uaa
        url: ""

Be sure to comment out your existing local user accounts in case it wasn't obvious from the instructions:

#    local:
#        provider: local
#        local:
#          users:
#          - name:      admin
#            password:  myLocalBoshPassword

7 - Configure Certificates and Keys

The first part references the generation of self signed cert here, you do not need to run the script at the top but instead skip down to the mapping of the generated files making the following substitutions (we assume you have ssl.key, ssl.crt and rootCA.pem as a single level signed certs in a folder named 'certs/'):

Update the Director deployment manifest:

If you are using the UAA for user management, additionally put certificates in these properties:

That's it, continue with the rest of step 7 and all the subsequent steps. When done you should be able to log in using uaa accounts.

Multiple/Intermediate Level Signed Certs

Let's assume you have a multiple level signed cert like the following example rootCA.pem:


These need to then be appended anywhere you are using certs/ssl.crt

This is why there is the note about "Include all intermediate certs", if you fail to do this you will wind up with an error message when you perform a bosh target similar to:

Invalid SSL Cert. Use --ca-cert option when setting target to specify SSL certificate'

Verify Certificate Order

Once you've deployed BOSH+UAA you can verify the order of your certificates. There is a blog post here by a wonderful author which shows you how this is done:

Configure Health Manager's Connections

You will also need to configure Health Manager on the director to login with client credentials instead of local BOSH logins, see this blog post for more information: