Using the cf CLI with a Self-Signed Certificate

Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.

This topic describes how developers can use the Cloud Foundry Command Line Interface (cf CLI) to communicate securely with a Cloud Foundry deployment with a self-signed certificate.

Overview

You can use the cf CLI to communicate securely with a Cloud Foundry deployment without specifying --skip-ssl-validation under these circumstances:

  • The deployment uses a self-signed certificate.

  • The deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that is signed by a self-signed CA.

Install the Certificate on Local Machines

The certificates you must insert into your local truststore vary depending on the configuration of your deployment.

  • If the deployment uses a self-signed certificate, the you must insert the self-signed certificate into your local truststore.

  • If the deployment uses a certificate that is signed by a self-signed CA, or a certificate signed by a certificate that is signed by a self-signed CA, you must insert the self-signed certificate and any intermediate certificates into your local truststore.

Install the Certificate on Mac OS X

To place the certificate file server.crt into your local truststore for Mac OS X:

  1. Run:

    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain server.crt

Install the Certificate on Linux

To place the certificate file server.crt into your truststore for Linux:

  1. Run one of these commands, depending on your Linux distrubution:

    • For Debian, Ubuntu, or Gentoo, run:

      cat server.crt >> /etc/ssl/certs/ca-certificates.crt

    • For Fedora or RHEL, run:

      cat server.crt >> /etc/pki/tls/certs/ca-bundle.crt



      The examples above set the certificate permanently on your machine across all users and require sudo permissions. To set the certificate only in your current terminal or script, run one of these commands:

    • export SSL_CERT_FILE=PATH-TO-SERVER.crt
      Where PATH-TO-SERVER.crt is the filepath of the server.crt certificate file.

    • export SSL_CERT_DIR=PATH-TO-SERVER-DIRECTORY
      Where PATH-TO-SERVER-DIRECTORY is the directory of the server.crt certificate file.

Install the Certificate on Windows

To place the certificate file server.crt into your local truststore for Windows:

  1. Right-click on the certificate file.

  2. Click Install Certificate.

  3. Choose to install the certificate as the Current User or Local Machine.

  4. From the certification store list, select Trusted Root Certification Authorities.