Using the cf CLI with a Self-Signed Certificate
Page last updated:
Warning: Pivotal Cloud Foundry (PCF) v2.4 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This topic describes how developers can use the cf CLI to communicate securely with a Pivotal Cloud Foundry (PCF) deployment without specifying
--skip-ssl-validation under the following circumstances:
- The deployment uses a self-signed certificate.
- The deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA.
Before following the procedure below, the developer must obtain either the self-signed certificate or the intermediate and CA certificate(s) used to sign the deployment’s certificate. The developer can obtain these certificates from the PCF operator.
The certificates that developers must insert into their local truststore vary depending on the configuration of the deployment.
- If the deployment uses a self-signed certificate, the developer must insert the self-signed certificate into their local truststore.
- If the deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA, the developer must insert the self-signed certificate and any intermediate certificates into their local truststore.
Enter the following command to place a certificate file
server.crt into your local truststore:
$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain server.crt
Perform the following steps specific to your distribution to place the certificate file
server.crt into your truststore:
$ cat server.crt >> /etc/ssl/certs/ca-certificates.crt
$ cat server.crt >> /etc/pki/tls/certs/ca-bundle.crt
The above example will set certificate permanently on your machine accross all users and requires sudo permissions. You can also run the following command to set certificate in your current terminal/script:
$ export SSL_CERT_FILE=/path/to/server.crt
$ export SSL_CERT_DIR=/path/to/server/dir
Right-click on the certificate file and click Install Certificate.
Choose to install the certificate as the Current User or Local Machine. Choose the Trusted Root Certification Authorities as the certification store.