Maciej Barelkowski

I checked how custom certificates are handled in WebStorm. I can accept all untrusted certificates (insecure) or add specific certificates in the UI: 

These are the settings available in VSCode:  Note that it does not have a concept of deployment without extensions (e.g. https://marketplace.visualstudio.com/items?itemName=mkloubert.vs-deploy).

Once I setup my keychain to always trust my self-signed certificate, I was able to connect with `zbctl`. Still, I haven't been able to connect with `zeebe-node` yet.

I was able to setup this properly. You can check out the repo: https://github.com/barmac/zeebe-tls-connection-test `zeebe-node` is able to connect to the instance when I provide the certificate to the client....

I tried to set the certicate/key paths [via env variables](https://github.com/camunda-community-hub/zeebe-client-node-js#using-a-self-signed-certificate), but apparently there is a bug in `zeebe-node` which prevents us from using env variables at the moment 🤡 I...

Simple solution sketch: _Given_ I have a certificate located on my disk, I can either: 1. Run Modeler with `--zeebe-ssl-certificate` flag like so: `modeler --zeebe-ssl-certificate="/path/to/my/cert.pem"`, or 2. Configure `flags.json` file...

Regarding [the OS keychain](https://github.com/camunda/camunda-modeler/issues/3028#issuecomment-1184326575), NodeJS uses per default [bundled root certificates from Mozilla CA store](https://nodejs.org/api/tls.html#tlsrootcertificates). I believe this is the reason why the custom certificate added to a system keychain...

Some additional findings: We cannot use Electron's `net` module (which uses Chromium networking behind the scenes) because gRPC is based on Node's `http2` module while Electron's `net` can only do...

The flag-based approach can be tested with these artifacts (should be available in ~15 minutes): - https://camunda-modeler-on-demand.s3.eu-central-1.amazonaws.com/3028-select-certificate-via-flag/camunda-modeler-3028-select-certificate-via-flag-linux-x64.tar.gz - https://camunda-modeler-on-demand.s3.eu-central-1.amazonaws.com/3028-select-certificate-via-flag/camunda-modeler-3028-select-certificate-via-flag-mac.dmg - https://camunda-modeler-on-demand.s3.eu-central-1.amazonaws.com/3028-select-certificate-via-flag/camunda-modeler-3028-select-certificate-via-flag-mac.zip - https://camunda-modeler-on-demand.s3.eu-central-1.amazonaws.com/3028-select-certificate-via-flag/camunda-modeler-3028-select-certificate-via-flag-win-ia32.zip - https://camunda-modeler-on-demand.s3.eu-central-1.amazonaws.com/3028-select-certificate-via-flag/camunda-modeler-3028-select-certificate-via-flag-win-x64.zip

@christian-konrad and I just had another meeting on this issue. We decided to implement two solutions: * use system keychain certificates (there is no reason for CM to ignore trusted...