Using the cf CLI with a Self-Signed Certificate
This topic describes how developers can use the cf CLI to communicate securely with a PWS deployment without specifying --skip-ssl-validation
under the following circumstances:
- The deployment uses a self-signed certificate.
- The deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA.
Install the Certificate on Local Machines
The certificates that developers must insert into their local truststore vary depending on the configuration of the deployment.
- If the deployment uses a self-signed certificate, the developer must insert the self-signed certificate into their local truststore.
- If the deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA, the developer must insert the self-signed certificate and any intermediate certificates into their local truststore.
Installing the Certificate on Mac OS X
Enter the following command to place a certificate file server.crt
into your local truststore:
$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain server.crt
Installing the Certificate on Linux
Perform the following steps specific to your distribution to place the certificate file server.crt
into your truststore:
- Debian/Ubuntu/Gentoo:
$ cat server.crt >> /etc/ssl/certs/ca-certificates.crt
- Fedora/RHEL:
$ cat server.crt >> /etc/pki/tls/certs/ca-bundle.crt
The above example will set certificate permanently on your machine across all users and requires sudo permissions. You can also run the following command to set certificate in your current terminal/script:
$ export SSL_CERT_FILE=/path/to/server.crt
or
$ export SSL_CERT_DIR=/path/to/server/dir
Installing the Certificate on Windows
Right-click on the certificate file and click Install Certificate.
Choose to install the certificate as the Current User or Local Machine. Choose the Trusted Root Certification Authorities as the certification store.