Using the cf CLI with a Self-Signed Certificate
Page last updated:
This topic describes how developers can use the cf CLI to communicate securely with a CF deployment without specifying
--skip-ssl-validation under the following circumstances:
- The deployment uses a self-signed certificate.
- The deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA.
Before following the procedure below, the developer must obtain either the self-signed certificate or the intermediate and CA certificates used to sign the deployment’s certificate. The developer can obtain these certificates from the CFAR operator or from the deployment manifest. For more information about how to retrieve certificates from the deployment manifest, see Securing Traffic into CFAR.
The certificates that developers must insert into their local truststore vary depending on the configuration of the deployment.
- If the deployment uses a self-signed certificate, the developer must insert the self-signed certificate into their local truststore.
- If the deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA, the developer must insert the self-signed certificate and any intermediate certificates into their local truststore.
Enter the following command to place a certificate file
server.crt into your local truststore:
$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain server.crt
Perform the following steps specific to your distribution to place the certificate file
server.crt into your truststore:
$ cat server.crt >> /etc/ssl/certs/ca-certificates.crt
$ cat server.crt >> /etc/pki/tls/certs/ca-bundle.crt
The above example will set certificate permanently on your machine across all users and requires sudo permissions. You can also run the following command to set certificate in your current terminal/script:
$ export SSL_CERT_FILE=/path/to/server.crt
$ export SSL_CERT_DIR=/path/to/server/dir
Right-click on the certificate file and click Install Certificate.
Choose to install the certificate as the Current User or Local Machine. Choose the Trusted Root Certification Authorities as the certification store.