# 25.10.15

> 25.10.15 release notes for CI/CD Integrations.

**Release date: May 1, 2026**

## What's new

### Trusting custom certificates

Two new optional parameters are available on every authenticated CLI verb (every `solution`, `package`, `asset`, `job`, and `test` command). They let the CLI connect to Orchestrator instances whose TLS certificates are not signed by a publicly trusted CA, without modifying the operating system's trust store.

#### `--ca-cert`

Provides one or more additional trusted root CA certificates that the CLI will accept when validating the server. The flag is additive - your system trust store still works for everything else; this just expands what's accepted on top.

```
uipcli ... --ca-cert "C:\certs\as-root.pem"
```

##### Supported certificate file formats

- **PEM** - text format with `-----BEGIN CERTIFICATE-----` markers. A single file may contain multiple concatenated certs (a "bundle").
- **DER** - binary X.509.
- **PKCS#7** (`.p7b`, `.p7c`) - cert collection without private keys, the format Windows `certmgr` exports by default.

PFX/PKCS#12 (`.pfx`, `.p12`) is **not** supported - those carry private keys and are intended for client identity, not server trust.

##### Multiple certificates

You can supply multiple roots when connecting to several internal Orchestrators with different cluster CAs, or when bundling a corporate root alongside an Automation Suite root. Three equivalent forms:

```
--ca-cert "C:\certs\as-root.pem" --ca-cert "C:\certs\corp-root.pem"
--ca-cert "C:\certs\as-root.pem,C:\certs\corp-root.pem"
--ca-cert "C:\certs\bundle.pem"          # single PEM file containing both roots
```

#### `--pinnedpubkey`

Pins the server's leaf certificate public key to a specific SHA-256 hash. Format is curl-compatible: `sha256//` followed by the base64 hash of the SubjectPublicKeyInfo.

```
uipcli ... --pinnedpubkey "sha256//5FAF491D9F7AC8274B1353B9E2E9317733033EFC22341ABAEA6466037D5123EE="
```

The pin is checked **in addition to** standard certificate validation, not instead of it. When connecting to an Orchestrator with a private CA, pass `--ca-cert` together with `--pinnedpubkey`.

### When to use these parameters

- **Connecting to UiPath Automation Suite** - the cluster's TLS cert is signed by a self-signed `UiPath AS Root CA`. Pass `--ca-cert` pointing at the cluster's exported root cert.
- **CI/CD runners where you can't install certificates system-wide** - workers running ephemerally or under a service account often can't modify the trust store. Use `--ca-cert` to scope trust to the CLI invocation only.
- **Multiple Orchestrator targets in one pipeline** - supply each cluster's root via repeated `--ca-cert` flags.
- **Extra protection against compromised public CAs** - add `--pinnedpubkey` so a misissued cert from any CA your system already trusts is rejected unless its public key matches your pin.

When neither flag is provided, the CLI behaves exactly as before - validation runs against the system trust store only.
