# Installing the server’s self-signed certificate
If your SonarQube server is [operating-the-server](https://docs.sonarsource.com/sonarqube-server/10.4/setup-and-upgrade/configure-and-operate-a-server/operating-the-server "mention") and a self-signed certificate (or more generally, an SSL certificate that is not signed by an authority trusted by Java) then you must install the self-signed certificate into the Java truststore of your CI/CD host machine otherwise the scanner will not be able to connect to the server and the analysis will fail.
## General procedure
JVM comes with a default truststore called `cacerts`. It resides in`\jre\lib\security\cacerts`.
To install the certificate into the truststore, use the JVM tool `keytool`. The instructions depend on your operating system and you will find many resources online, such as [this one](https://www.ibm.com/docs/en/tnpm/1.4.2?topic=security-import-certificate-jre-keystore) for Linux.
## If running the scanner with Docker
If you need to configure a self-signed certificate for the scanner to communicate with your SonarQube instance, you can use a volume under `/tmp/cacerts` to add it to the containers java trust store:
```css-79elbk
docker pull sonarsource/sonar-scanner-cli
docker run \
--rm \
-v ${YOUR_CERTS_DIR}/cacerts:/tmp/cacerts \
-v ${YOUR_CACHE_DIR}:/opt/sonar-scanner/.sonar/cache \
-v ${YOUR_REPO}:/usr/src \
-e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
sonarsource/sonar-scanner-cli
```
Alternatively, you can create your own container that includes the modified `cacerts` file. Create a `Dockerfile` with the following contents:
```css-79elbk
FROM sonarsource/sonar-scanner-cli
COPY cacerts /usr/lib/jvm/default-jvm/jre/lib/security/cacerts
```
Then, assuming both the `cacerts` and `Dockerfile` are in the current directory, create the new image with a command such as:
```css-79elbk
docker build --tag our-custom/sonar-scanner-cli .
```