- Notas de versão do UiPath CLI
- Notas de versão da extensão do Azure DevOps
- Notas de versão do plug-in do Jenkins
Notas de versão de integrações de CI/CD
Release date: May 1, 2026
- Add
--ca-certand--pinnedpubkeyparameters for custom TLS trust on internal-PKI Orchestrators
Novidades
Trusting custom certificates
Two new optional parameters are available on every authenticated CLI verb (every solution, package, asset, job, and test command). They let the CLI connect to Orchestrator instances whose TLS certificates are not signed by a publicly trusted CA, without modifying the operating system's trust store.
--ca-cert
Provides one or more additional trusted root CA certificates that the CLI will accept when validating the server. The flag is additive - your system trust store still works for everything else; this just expands what's accepted on top.
uipcli ... --ca-cert "C:\certs\as-root.pem"
uipcli ... --ca-cert "C:\certs\as-root.pem"
Supported certificate file formats:
- PEM - text format with
-----BEGIN CERTIFICATE-----markers. A single file may contain multiple concatenated certs (a "bundle"). - DER - binary X.509.
- PKCS#7 (
.p7b,.p7c) - cert collection without private keys, the format Windowscertmgrexports by default.
PFX/PKCS#12 (.pfx, .p12) is not supported - those carry private keys and are intended for client identity, not server trust.
Multiple certificates:
You can supply multiple roots when connecting to several internal Orchestrators with different cluster CAs, or when bundling a corporate root alongside an Automation Suite root. Three equivalent forms:
--ca-cert "C:\certs\as-root.pem" --ca-cert "C:\certs\corp-root.pem"
--ca-cert "C:\certs\as-root.pem,C:\certs\corp-root.pem"
--ca-cert "C:\certs\bundle.pem" # single PEM file containing both roots
--ca-cert "C:\certs\as-root.pem" --ca-cert "C:\certs\corp-root.pem"
--ca-cert "C:\certs\as-root.pem,C:\certs\corp-root.pem"
--ca-cert "C:\certs\bundle.pem" # single PEM file containing both roots
--pinnedpubkey
Pins the server's leaf certificate public key to a specific SHA-256 hash. Format is curl-compatible: sha256// followed by the base64 hash of the SubjectPublicKeyInfo.
uipcli ... --pinnedpubkey "sha256//5FAF491D9F7AC8274B1353B9E2E9317733033EFC22341ABAEA6466037D5123EE="
uipcli ... --pinnedpubkey "sha256//5FAF491D9F7AC8274B1353B9E2E9317733033EFC22341ABAEA6466037D5123EE="
The pin is checked in addition to standard certificate validation, not instead of it. When connecting to an Orchestrator with a private CA, pass --ca-cert together with --pinnedpubkey.
When to use these parameters
- Connecting to UiPath Automation Suite - the cluster's TLS cert is signed by a self-signed
UiPath AS Root CA. Pass--ca-certpointing at the cluster's exported root cert. - CI/CD runners where you can't install certificates system-wide - workers running ephemerally or under a service account often can't modify the trust store. Use
--ca-certto scope trust to the CLI invocation only. - Multiple Orchestrator targets in one pipeline - supply each cluster's root via repeated
--ca-certflags. - Extra protection against compromised public CAs - add
--pinnedpubkeyso a misissued cert from any CA your system already trusts is rejected unless its public key matches your pin.
When neither flag is provided, the CLI behaves exactly as before - validation runs against the system trust store only.