Using the cf CLI with a Self-Signed Certificate

Page last updated:

This topic describes how developers can use the cf CLI to communicate securely with a CF deployment without specifying --skip-ssl-validation under the following circumstances:

• The deployment uses a self-signed certificate.
• The deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA.

Before following the procedure below, the developer must obtain either the self-signed certificate or the intermediate and CA certificates used to sign the deployment’s certificate. The developer can obtain these certificates from the CFAR operator or from the deployment manifest. For more information about how to retrieve certificates from the deployment manifest, see Securing Traffic into CFAR.

Install the Certificate on Local Machines

The certificates that developers must insert into their local truststore vary depending on the configuration of the deployment.

• If the deployment uses a self-signed certificate, the developer must insert the self-signed certificate into their local truststore.
• If the deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA, the developer must insert the self-signed certificate and any intermediate certificates into their local truststore.

Installing the Certificate on Mac OS X

Enter the following command to place a certificate file server.crt into your local truststore:

$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain server.crt

Installing the Certificate on Linux

Perform the following steps specific to your distribution to place the certificate file server.crt into your truststore:

• Debian/Ubuntu/Gentoo:

  $ cat server.crt >> /etc/ssl/certs/ca-certificates.crt

• Fedora/RHEL:

  $ cat server.crt >> /etc/pki/tls/certs/ca-bundle.crt

The above example will set certificate permanently on your machine across all users and requires sudo permissions. You can also run the following command to set certificate in your current terminal/script:

$ export SSL_CERT_FILE=/path/to/server.crt

or

$ export SSL_CERT_DIR=/path/to/server/dir

Installing the Certificate on Windows

1. Right-click on the certificate file and click Install Certificate.

2. Choose to install the certificate as the Current User or Local Machine. Choose the Trusted Root Certification Authorities as the certification store.