# How to Connect to External Servers Via HTTPS

Under normal circumstances, connecting to external systems (source code repositories, issue trackers, etc.) via HTTPS does not require any configuration; Teamscale will use the default Java certificate store and, if it contains a valid certificate chain to validate the external system's SSL/TLS certificate, everything will work out of the box. There are circumstances, however, where you need to perform some explicit configuration.

# Using Self-Signed Certificates

If the external system is accessed via HTTPS but the certificate for the underlying SSL/TLS connections are not signed by one of the certificate authorities known to a default Java installation, Teamscale needs to be made aware of the certificate. Start by downloading the certificate in question, e.g., through your web browser, and store it in DER format (.cer file extension).

Next, create a keystore that contains that certificate using the keytool command line tool (located in the bin folder of the Java installation) as follows, where certificate.cer is the certificate you downloaded, keystore.jks is the keystore to be created and Alias is the alias under which to store the certificate in the keystore:

keytool -importcert -file certificate.cer -keystore keystore.jks -alias Alias

You will be prompted for a password for the keystore. Multiple certificates can be imported into the same keystore under different aliases.

After all necessary certificates have been imported, add the following to the JVM_EXTRA_ARGS entry in the file $TEAMSCALE_HOME/config/jvm.properties:

-Djavax.net.ssl.trustStore=<Path-to-Keystore-File>
-Djavax.net.ssl.trustStorePassword=<Password>

Note that this keystore will only contain the certificate(s) manually imported earlier. In case you also depend on the default certificates present on the system, you can import these into your keystore from the default installation (usually $JAVA_HOME/jre/lib/security/cacerts) using the -importkeystore command.

# Using Certificates from the Windows Certificate Store

On Windows, you can use the certificates from the operating system's build-in certificate store. by adding the following options to the entry JVM_EXTRA_ARGS in the file $TEAMSCALE_HOME/config/jvm.properties:

-Djavax.net.ssl.trustStoreType=Windows-ROOT
-Djavax.net.ssl.trustStore=NONE

# Turning Off Certificate Validation

In case the certificates are not valid (e.g., the hostname is incorrect), Java will still reject the certificates and refuse HTTPS connections to the external systems. To fix this problem, you can either install a valid certificate on the server or instruct Teamscale to not validate any SSL/TLS certificates.

To disable validation of SSL certificates, add the following to the entry JVM_EXTRA_ARGS in the file $TEAMSCALE_HOME/config/jvm.properties:

-Dcom.teamscale.disable-ssl-certificate-validation=true

Not Secure

Disabling SSL validation is strongly discouraged. It is not a secure practice.