Self signed SSL certs and designer

I am currently using a self signed ca certificate and cannot launch designer from another machine. I get the following error:

Error launching application:
sslhandshakeexception pkix path building failed
sun.security.provider.certpath.suncertpathbuilderexception: unable to find valid certification path to requested target

I tried adding the certificate to Java with keytool:

keytool -importcert -alias Example -keystore "C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\cacerts" -file "C:\Users*****\https___10.10.211.180_8043.crt"

After restarting Java I still have the same error. What do I need to do to trust the certificate? Or am I going about this all wrong? When it moves to production I will purchase a "real" cert for the public IP. Should I allow 8088 connections and block that port at the network level for the WAN?

You just need to add it to the right KeyStore.

https://docs.inductiveautomation.com/display/DOC81/Security+Certificates#SecurityCertificates-AddingSecurityCertificatesintoKeyStores

https://docs.inductiveautomation.com/display/DOC81/Launcher+Settings#LauncherSettings-AddingSecurityCertificatestoClients

Make sure you're adding the root CA cert, not the leaf cert.

That worked. I was missing the cert in

{user folder}\.ignition\clientlauncher - data\certificates

I looked at that documentation in my troubleshooting and thought that applied to the "Vision Client" while I was going to battle with the Designer. Thank you.

Also just to add some implementation details, these "supplemental certificate" locations are just places we look for certificates to import into the main cacerts KeyStore, so you could still use that mechanism directly. You just need to be targeting the one from the embedded runtimes, not some leftover Java 8 install on your system. The benefit of using the supplemental folder, though, is that when we upgrade the runtimes they'll get imported again and continue to work.