The default Command Central and Platform Manager keystore with name demo-keystore.jks contains a signed CA certificate. However, the generated CA certificate does not contain the fully qualified name of the server host required by the client to trust the server. When the ssl-trust-all-hosts option is included, Command Central does not verify the name of the server host.

If you do not include the --ssl-trust-all-hosts option, Command Central will attempt to verify the server host name, and the client will not trust a server certificate without a fully qualified server host name. When the server host name matches the host name in the signed CA certificate, the option is ignored.