Trusting a Self-Signed Certificate or a New CA

To trust a new certificate, add the certificate to the $JFROG_HOME/<product>/var/etc/security/keys/trusted directory of every service that needs to trust it.

Alternatively, you an also add the certificate to each application's KeyStore. For example, to add a certificate into the JFrog Artifactory KeyStore, you can add it directly to the host's JVM's trusted KeyStore. 

Trusting a Self-Signed Certificate in Xray Instances/Nodes

When an Xray instance/node is configured to go through an SSL proxy that uses a self-signed certificate, you may encounter the following issue when performing tasks such as an online database sync:

2021-07-20T14:47:47.500Z [33m[jfxr ][0m [1m[31m[ERROR][0m [c080f44e606d159 ] [samplers:91                   ] [main                ] Failed to read response from jxrayUrl. Error: Get "https://jxray.jfrog.io/api/v1/system/ping": x509: certificate signed by unknown authority

1. To overcome this issue, you will need to import the Proxy certificate into each Xray instance/pod by placing it under the following path within the Xray machine/container/pods:/etc/ssl/certs/.
2. Next, you will need to restart Xray.
   The path shown above is the default directory used by Go applications (such as Xray) when importing SSL certificates.

Downloading a Certificate

To download/acquire the certificate(s) of the SSL secured server, use the following command:

openssl s_client -connect <secure authentication server IP and port> -showcerts < /dev/null > server.crt

Examples

openssl s_client -connect cdn.redhat.com:443 -showcerts < /dev/null > server.crt

openssl s_client -connect the.ldap.server.net:636 -showcerts < /dev/null > server.crt

openssl s_client -connect github.com:443 -showcerts < /dev/null > server.crt