I am developing an app to run in Cloud Foundry.
- The app makes constant connections to a web service using https protocol.
- The web service uses a pair of self-signed certificate created by openssl.
- As there is no DNS setup, I am using IP address as the Common Name(CN) in the ssl certificate.
- However, the web service IP address varies from time to time. The ssl certificate has to be re-generated each time.
- In order for the app to connect, it needs to trust the SSL certificate so I have been packaging the public key for the web service’s SSL cert as a file with my app.
The problem is that I have to re-upload the app to Cloud Foundry once the public key of the SSL cert changes.
Here are some possible solutions:
- Register a host name in DNS. In that case, the certificate is only bound to host name. (Might not be possible cos of the budget. )
- Create a private CA and issue certificates from the CA, then install the CA as the trusted CA on the client. It is feasible and a common way for internal services. However, what if the app is pushed to the CF? How can we configure the node for the certs?
- Disable the SSL server authentication. Not sure whether it would put the app at risk if the authentication is skipped. For the time being, the app pulls data from the web service.
- I've been thinking of keeping the public key in the database. In that case, I don't need to re-upload the app to make it take effect. But I am not sure whether it is a safe way.
Question
I am seeking for a common and safe way to keep the SSL server cert in a Cloud Foundry env. Are any of the above solutions viable? If not, is there any other CF preferred ways?
Thank you
