Pivotal Knowledge Base


Importing self-signed certificate


For Pivotal Cloud Foundry® (PCF) installations with self-signed SSL certificates, it is always suggested to use "--skip-ssl-validation" when using cf cli tools to target to the desired API endpoints. However, there are scenarios that SSL is required either for security concerns or tools that are hard to bypass SSL validation, such as Cloud Foundry eclipse plugin.


In order to make the generated self-signed SSL certificate by default trusted by the system, it needs to be imported to the client system. Different systems use different keystores.

The simplest way to obtain the generated cert to be imported is open Ops Manager and go to the configuration page of Elastic Runtime. Choose HAProxy tab, copy the text in the Certificate PEM section (the first box of "SSL Certificate"), and paste it in a blank text file. Save the file as, say "pcf-cert.pem".

Pivotal Cloud Foundry eclipse plugin

The eclipse plugin does not have an option up to now to skip the SSL validation when trying to connect to a private PCF installation API endpoint which is using self-signed certificate. The cert needs to be imported to the keystore of the JRE the running eclipse uses.

1. Identify the exact JRE the running eclipse is using. The eclipse launcher searches runnable JRE in the sequence of "eclipse/jre", value specified in eclipse.ini and then system path variable. It does NOT refer to JAVA_HOME or any other system variables.

2. Use keytool command provided by JRE to import the obtained certificate key file to the security library of the identified JRE:

keytool -import -alias alias -keystore path-to-jre/lib/security/cacerts -file path-to-pcf-cert.pem

3. Launch eclipse, go to the dialog of creating a cloud foundry server. In the Account step, click "Manage Cloud URLs". Add the URL pointed to the API endpoint of the desired PCF installation. Click "Validate Account", there should be no error message and it is good to go!

cf cli on Windows

The steps are well explained here.

On imported the certificate to the system root certificate store, there will be no need to specify the "--skip-ssl-validation" option when running commands like cf api or cf login.

Currently importing the self-signed certificate to the system keychain on Linux and Mac OS X has some problem and hopefully can be fixed in the future release.


Powered by Zendesk