Skip to main content
Version: Deploy 22.2

Configure the CLI to trust a Deploy server certificate

This topic addresses how to resolve SSL handshake issues with Deploy when using a self-signed certificate by configuring a dedicated truststore for the command-line interface (CLI).

If you configured your Deploy server to use a self-signed certificate, you will notice that trying to connect with a normal command-line interface (CLI) configuration will fail:

C:\...\xl-deploy-5.5.0-cli>bin\cli.cmd -secure
Username: admin
Password:
Exception in thread "main" java.lang.IllegalStateException: Could not contact the server at https://127.0.0.1:4517/deployit
    ...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator
Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath
BuilderException: unable to find valid certification path to requested target

To instruct the CLI to trust a server certificate, you must configure a truststore for the CLI. Usually, you do not want to modify the JREs global truststore for this purpose. This topic describes how to create a dedicated truststore for your CLI.

For more information, see Generate a certificate

Step 1 Export the server certificate

Export the self-signed certificate from XL_DEPLOY_SERVER_HOME/conf:

keytool -export -keystore keystore.jks -alias jetty -file XLDeployServerCert.cer

For more information on the keytool utility, see Oracle documentation.

Step 2 Import the certificate as a trusted certificate

Import the certificate as a trusted certificate into a separate truststore for the CLI.

keytool -import -alias XLDeployServerCert -file XLDeployServerCert.cer -keystore myCliTruststore.jks

Step 3 Move the truststore to the CLI installation

Move myCliTruststore.jks from XL_DEPLOY_SERVER_HOME/conf to XL_DEPLOY_CLI_HOME/conf.

Step 4 Configure the CLI to use the truststore

Set the CLI options, or change XL_DEPLOY_CLI_HOME/bin/cli.sh or cli.cmd, to use the truststore. Use the password specified when creating the truststore in the step above:

export DEPLOYIT_CLI_OPTS="-Xmx512m -XX:MaxPermSize=256m -Djavax.net.ssl.trustStore=conf/myCliTruststore.jks -Djavax.net.ssl.trustStorePassword=secret"

Step 5 Start the CLI

You can now start the CLI, ensure that you use the hostname listed in the certificate:

C:\...\xl-deploy-5.5.0-cli>bin\cli.cmd -secure -host localhost
Username: admin
Password:
Welcome to the Deploy Jython CLI!
Type 'help' to learn about the objects you can use to interact with Deploy.

Note: If you are creating a new self-signed certificate with a hostname other than localhost, use the certificate alias jetty when importing it into the keystore. For more information, see Update the Deploy digital certificate.