Permalink
Fetching contributors…
Cannot retrieve contributors at this time
50 lines (29 sloc) 2.5 KB
---
title: Using the cf CLI with a Self-Signed Certificate
owner: CLI
---
<strong><%= modified_date %></strong>
This topic describes how developers can use the cf CLI to communicate securely with a <%= vars.first_product_name %> deployment without specifying `--skip-ssl-validation` under the following circumstances:
* The deployment uses a self-signed certificate.
* The deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA.
<%= vars.self_signed %>
## <a id="install-local"></a>Install the Certificate on Local Machines ##
The certificates that developers must insert into their local truststore vary depending on the configuration of the deployment.
* If the deployment uses a self-signed certificate, the developer must insert the self-signed certificate into their local truststore.
* If the deployment uses a certificate that is signed by a self-signed certificate authority (CA), or a certificate signed by a certificate that’s signed by a self-signed CA, the developer must insert the self-signed certificate and any intermediate certificates into their local truststore.
### <a id="macosx"></a>Installing the Certificate on Mac OS X
Enter the following command to place a certificate file `server.crt` into your local truststore:
<pre class="terminal">$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain server.crt</pre>
### <a id="linux"></a>Installing the Certificate on Linux
Perform the following steps specific to your distribution to place the certificate file `server.crt` into your truststore:
<ul>
<li>Debian/Ubuntu/Gentoo: <pre class="terminal">$ cat server.crt >> /etc/ssl/certs/ca-certificates.crt</pre></li>
<li>Fedora/RHEL: <pre class="terminal">$ cat server.crt >> /etc/pki/tls/certs/ca-bundle.crt</pre></li>
</ul>
The above example will set certificate permanently on your machine accross all users and requires sudo permissions. You can also run the following command to set certificate in your current terminal/script:
<pre class="terminal">$ export SSL_CERT_FILE=/path/to/server.crt</pre>
or
<pre class="terminal">$ export SSL_CERT_DIR=/path/to/server/dir</pre>
### <a id="windows"></a>Installing the Certificate on Windows
1. Right-click on the certificate file and click **Install Certificate**.
1. Choose to install the certificate as the **Current User** or **Local Machine**. Choose the **Trusted Root Certification Authorities** as the certification store.