Upload DAR to SSL-Enabled Sandbox via CLI

Hi, I was trying to run my unit test to test the sandbox’s SSL features.
This is command that I used:

daml sandbox --dar xxx.dar --cacrt -xxx.crt --pem xxx.pem --key xxx.key

I tried with different command and got the error attached below:


According to this thread, it seems like daml sandbox was able to accept tls related arguments (such as --pem etc).

This was for the sandbox that shipped with Daml 1.x (specifically Daml 1.11 in the thread you pointed to). Since Daml 2.0, the “sandbox” is a thin wrapper around a single-node Canton ledger. To configure SSL you’ll have to run daml sandbox -c <path/to/canton.conf>. You can find more details on how to configure SSL for the Ledger API here.

Hi @stefanobaghino-da , below is the sample config:

canton.participants.sandbox.ledger-api {
  address = vincent.canton.app
  port = 8888
  tls {
    // the certificate to be used by the server
    cert-chain-file = "./vincekey/participant.crt"
    // private key of the server
    private-key-file = "./vincekey/participant.pem"
    // trust collection, which means that all client certificates will be verified using the trusted
    // certificates in this store. if omitted, the JVM default trust store is used.
    trust-collection-file = "./vincekey/root-ca.crt"
    // define whether clients need to authenticate as well (default not)
    client-auth = {
      // none, optional and require are supported
      type = require
      // If clients are required to authenticate as well, we need to provide a client
      // certificate and the key, as Canton has internal processes that need to connect to these
      // APIs. If the server certificate is trusted by the trust-collection, then you can
      // just use the server certificates. Otherwise, you need to create separate ones.
      admin-client {
        cert-chain-file = "./vincekey/admin-client.crt"
        private-key-file = "./vincekey/admin-client.pem"

Output as below:

But if I did it separately,

Upload dar without the key:

With the key, it can upload successfully.

For anything more complex than quick local development and testing, I would recommend you use the Canton Console (reference). It offers a more complete set of options and commands to interact with Canton and it’s also what you’ll likely use against a production ledger. See here for example how to upload DARs.