Trusting a Self-Signed Certificate or a New CA
You can set up TLS between the JFrog Platform and external services by trusting external service certificates.
JFrog Artifactory uses its JVM's trusted key store when verifying the Certificate Authority (CA) of an SSL/TLS certificate that a remote site is configured with.
Artifactory will not allow a SSL/TLS connection with a remote site unless the remote site meets all of the JVM's security requirements, including validation of the trusted CA certificate.
You may need to trust an additional CA when the remote site's SSL/TLS certificate is signed by a CA is not already included in the JVM's trusted key store.
For example, you may need to trust a self signed certificate not signed by a trusted Certificate Authority which is used by your LDAPS, internal proxy, Oauth server, or remote repositories.
To install custom and/or self-signed certificates on any other JFrog Platform service, copy the certificates into the
$JFROG_HOME/<product>/var/etc/security/keys/trusted directory of every service that needs to trust it.
Downloading a Certificate
To download/acquire the certificate(s) of the SSL secured server, use the following command:
Enabling TLS in the JFrog Platform
By default, TLS in the JFrog Platform is disabled.
When TLS is enabled, all communications to the JFrog Platform are required to use TLS including service-to-service communication within the platform.
In the JFrog Platform, JFrog Access acts as the Certificate Authority (CA) and signs the TLS certificates used by all the different JFrog Platform services.
To enable TLS:
Change the tls entry (under the security section) in the access.config.yaml file.
- With TLS enabled, every JFrog service must trust Access as a Certificate Authority.
Access shares the CA certificate with all the Artifactory nodes. However additional services in the Platform need to trust Access as well.
Create the trust between a service and Access by copying the
ca.crtfrom the Artifactory server under
$JFROG_HOME/artifactory/var/etc/access/keysto any service node you would like to set trust with under
- For Artifactory nodes, the root CA is distributed automatically via the database, and there's no need to manually copy the Access root CA.
For every other JFrog product node, you need to manually copy the Access root CA.
In case you need to trust the JFrog Access CA by an external server, for example a load balancer, you need to load the Access root CA file to the external service key store.
Loading a Custom CA Certificate to Access
You can provide a custom CA certificate and matching private key, to be used by JFrog Access, for signing the TLS certificates used by all the different JFrog Platform nodes.
Custom CA Prerequisites
Your custom CA certificate must meet the following prerequisites:
- The private key must use the RSA algorithm.
- The private key must be at least 1024-bit.
- The certificate must match the provided private key.
- The certificate must be valid for the next 7 days at least.
- The certificate must be marked with a CA basic constraint.
- SAN should not be set.
- Key usage extension should be marked CRITICAL.
- Key usage
digitalSignatureextension should be enabled.
- Key usage
keyCertSignextension should be enabled.
To load a custom CA certificate and matching private key:
ca.private.keyfiles and place them under
- Restart Artifactory.
Regenerating a New Access CA Certificate
In some scenarios you might want to force Access to generate a new CA Certificate.
To force JFrog Access to regenerate the CA certificate and matching private key:
- Create a
reset_ca_keysfile and place it under
- Restart Artifactory.
- If you have already set TLS between Artifactory and other JFrog Platform nodes, copy the new
trusteddirectories on all the JFrog Platform nodes.