Cloud customer?
 Upgrade in MyJFrog >



TLS connections can be used within the JFrog Platform between the different cluster nodes and services, or by JFrog services for communicating with remote sites.

This guide describes how to do both.

Page Contents

Trusting a Self-Signed Certificate or a New CA

You can set up TLS between the JFrog Platform and external services by trusting external service certificates.
JFrog services will not allow a SSL/TLS connection with an external service without a validation of the trusted CA certificate.

For example, you may want to connect to remote repositories, your LDAPS, internal proxy, OAuth server, or other external services over HTTPS.
For that, you may need to trust a certificate (for example, a self signed certificate) that was not signed by a trusted Certificate Authority (CA) and is used by the external service.

To trust a new certificate, you can do one of the following:

  • Add the certificate to the application's KeyStore. For example, to add a certificate into the Artifactory KeyStore, you can add it directly to the host's JVM's trusted KeyStore.
  • Add the certificate to the $JFROG_HOME/<product>/var/etc/security/keys/trusted directory of every service that needs to trust it. 
  • If you are trying to connect a database over SSL, place the SSL certificates in the /etc/ssl/certs/ path to load the certificates during the startup by Metadata service.

HA Setup

For HA setup, you need to add the certificate to every node's trusted directory or KeyStore. The Certificates are not propagated between HA nodes automatically.

Downloading a Certificate

To download/acquire the certificate(s) of the SSL secured server, use the following command:

openssl s_client -connect <secure authentication server IP and port> -showcerts < /dev/null > server.crt


openssl s_client -connect -showcerts < /dev/null > server.crt
LDAP or Active Directory
openssl s_client -connect -showcerts < /dev/null > server.crt
OAuth (Use the Authorization URL). For example, with GitHub
openssl s_client -connect -showcerts < /dev/null > server.crt

Enabling TLS in the JFrog Platform

By default, TLS in the JFrog Platform is disabled. 

When TLS is enabled, all communications to the JFrog Platform are required to use TLS including service-to-service communication within the platform.
In the JFrog Platform, JFrog Access acts as the Certificate Authority (CA) and signs the TLS certificates used by all the different JFrog Platform services.

To enable TLS:

  1. Change the tls entry (under the security section) in the access.config.yaml file.

      tls: true
  2. With TLS enabled, every JFrog service must trust Access as a Certificate Authority.
    Access shares the CA certificate with all the Artifactory nodes. However additional services in the Platform need to trust Access as well.
    Create the trust between a service and Access by copying the ca.crt from the Artifactory server under $JFROG_HOME/artifactory/var/etc/access/keys to any service node you would like to set trust with under $JFROG_HOME/<product>/var/etc/security/keys/trusted.

  • For Artifactory nodes, the root CA is distributed automatically via the database, and there's no need to manually copy the Access root CA.
    For every other JFrog product node, you need to manually copy the Access root CA.
  • In case you need to trust the JFrog Access CA by an external server, for example a load balancer, you need to load the Access root CA file to the external service key store.

Loading a Custom CA Certificate to Access

You can provide a custom CA certificate and matching private key, to be used by JFrog Access, for signing the TLS certificates used by all the different JFrog Platform nodes.

Custom CA Prerequisites

Your custom CA certificate must meet the following prerequisites:

  • The private key must use the RSA algorithm.
  • The private key must be at least 1024-bit.
  • The certificate must match the provided private key.
  • The certificate must be valid for the next 7 days at least.
  • The certificate must be marked with a CA basic constraint.
  • SAN should not be set.
  • Key usage extension should be marked CRITICAL.
  • Key usage digitalSignature extension should be enabled.
  • Key usage keyCertSign extension should be enabled.

To load a custom CA certificate and matching private key:

  1. Create ca.crt and ca.private.key files and place them under $JFROG_HOME/artifactory/var/bootstrap/etc/access/keys.
  2. Restart Artifactory.

Regenerating a New Access CA Certificate

In some scenarios you might want to force Access to generate a new CA Certificate.

To force JFrog Access to regenerate the CA certificate and matching private key:

  1. Create a reset_ca_keys file and place it under $JFROG_HOME/artifactory/var/bootstrap/etc/access/keys.
  2. Restart Artifactory.
  3. If you have already set TLS between Artifactory and other JFrog Platform nodes, copy the new ca.crt to the trusted directories on all the JFrog Platform nodes. 
Copyright © 2021 JFrog Ltd.