Each app gets its own x509 keypair that can be used for mTLS - and it’s even rotated automatically! This looks like a powerful enabler for all kind of future mTLS scenarios.
However, it looked like this keypair is currently limited to three use cases:
Gorouter to App TLS (route integrity)
Interpolation of Credhub refs to env credentials on container start time (outside of app)
Java buildpacks automatically watches CF_INSTANCE_CERT/CF_INSTANCE_KEY files, making sure these (changed) keypair land automatically in
the apps java truststore/keystore.
This is very interesting, since this basically means all java apps automagically use the keypair in all their https requests, smtps connections, database connections etc.
Which means – we can use it for our use cases, too!
Why I’m interested about this:
We’re currently designing a new MySQL service
We would like to allow clients to connect with mTLS
On binding time, we would basically restrict the TLS client connection to the app that it’s bound to (identified by the app guid in the
This would work out of the box with the java buildpack and mysql client – java buildpack security provider would add the keys, and spring
cloud connector mysql would set up the usual jdbc connection – great UX!