Configure the CLI to trust a Deploy server certificate
If you configured your Deploy server to use a self-signed certificate, you will notice that trying to connect with a normal command-line interface (CLI) configuration will fail:
C:\...\xl-deploy-5.5.0-cli>bin\cli.cmd -secure Username: admin Password: Exception in thread "main" java.lang.IllegalStateException: Could not contact the server at https://127.0.0.1:4517/deployit ... Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath BuilderException: unable to find valid certification path to requested target
To instruct the CLI to trust a server certificate, you must configure a truststore for the CLI. Usually, you do not want to modify the JREs global truststore for this purpose. This topic describes how to create a dedicated truststore for your CLI.
For more information, see Generate a certificate
Step 1 Export the server certificate
Export the self-signed certificate from
keytool -export -keystore keystore.jks -alias jetty -file XLDeployServerCert.cer
For more information on the
keytool utility, see Oracle documentation.
Step 2 Import the certificate as a trusted certificate
Import the certificate as a trusted certificate into a separate truststore for the CLI.
keytool -import -alias XLDeployServerCert -file XLDeployServerCert.cer -keystore myCliTruststore.jks
Step 3 Move the truststore to the CLI installation
Step 4 Configure the CLI to use the truststore
Set the CLI options, or change
cli.cmd, to use the truststore. Use the password specified when creating the truststore in the step above:
export DEPLOYIT_CLI_OPTS="-Xmx512m -XX:MaxPermSize=256m -Djavax.net.ssl.trustStore=conf/myCliTruststore.jks -Djavax.net.ssl.trustStorePassword=secret"
Step 5 Start the CLI
You can now start the CLI, ensure that you use the hostname listed in the certificate:
C:\...\xl-deploy-5.5.0-cli>bin\cli.cmd -secure -host localhost Username: admin Password: Welcome to the Deploy Jython CLI! Type 'help' to learn about the objects you can use to interact with Deploy.
Note: If you are creating a new self-signed certificate with a hostname other than
localhost, use the certificate alias
jetty when importing it into the keystore. For more information, see Update the Deploy digital certificate.