Skip to content

CA Certificates

Jump to bottom
Leonard J. Carcaramo Jr edited this page May 5, 2021 · 4 revisions

How to Add Internal/Self Signed CA Certificates as Trusted Certificate Authorities.

After putting Artifactory and PostgreSQL behind SSL/TLS, you may need to add the CA certificates that correspond to Artifactory/PostgreSQL's SSL certificate as trusted certificate authorities. Use the following documentation to get Artifactory/PostgreSQL working properly with the following services over HTTPS.

 

Firefox (or any web browser)

If Artifactory's certificate authority is not added to Firefox or any web browser as a trusted CA certificate, your web browser will warn you about the Artifactory UI being insecure. You can optionally continue to the Artifactory UI anyways, but what you should do is add the required CA certificates to your web browser to add Artifactory's certificate authority as trusted.

Note that adding trusted CA certificates through Firefox should not only add trusted certificate authorities to Firefox, but also should make any added trusted certificate authorities available to other Web browsers like Microsoft Edge.

  • Ensure that you have your CA certificate(s) ready.
  • Open Mozilla Firefox.
  • Open the hamburger menu in the top right-hand corner of the page.
  • Click on Options.
  • Once you are on the Options page, select Privacy & Security from the menu on the left-hand side of the page.
  • From the Privacy & Security section, click on View Certificates under the Certificates section.
  • From the Certificate Manager, ensure that you have the Authorities tab selected.
  • From the Authorities Tab, click on the button located at the bottom of the window that is labeled Import....
  • Your workstation's File browser should be opened. Select the CA certificate that you want to import, and open it.
  • Repeat the previous two steps for each CA certificate that you need to add. Once you have added all of the CA certificates that you need, you can verify that the CA certificate(s) were added successfully by looking to see if the CA certificate(s) that you added are listed in the list of certificate authorities listed in the Authorities tab.
  • Verify that you are able to access the Artifactory UI in Firefox or any other browser without any warnings. Once you open the Artifactory UI, click on the lock icon on the left-hand side of the address bar. If the dialog indicates that your connection is secure, that is an indication that the CA certificate(s) that you added are working.

Note that if you previously added a security exception for your Artifactory UI, you may have to remove that exception first before you notice the changes.

 

Artifactory

It is recommended that when you setup an Artifactory service for production use that you encrypt network traffic to Artifactory and it's PostgreSQL database with SSL. Since Artifactory acts as a client to the PostgreSQL database, it is recommended that you force Artifactory to verify PostgreSQL's SSL certificate. In order to do this, you may have to add the CA root certificate for PostgreSQL to Artifactory, This is likely only the case if you are using an internal/self-signed certificate.

  • See the SSL wiki too see how to add an internal/self-signed SSL certificate to Artifactory.

 

Jenkins/Artifactory Helpers (Java)

In order for Jenkins and/or the Artifactory Helpers to trust Artifactory's SSL certificate, you may need to add the CA Certificate(s) of your Jenkins or DBB client server to the Java keystore. An error that may alert you to this is unable to find valid certification path to requested target.

Confirm Your Java Path

  • Identify the location of Java on your Jenkins or DBB client server using the echo command.

    • <USERID> ~ > echo $JAVA_HOME

  • You can confirm this is the Java path Jenkins is using with the following steps.

    • In Jenkins, go to the Nodes page
    • Select the node you are using
    • Go to the Configure tab for that node
    • Open Advanced settings
    • Notice the JavaPath field

Add a CA Certificate to the Java Keystore

  • Open a terminal and navigate to the Java bin directory you identified above.
    • <USERID> ~ > cd $JAVA_HOME/bin
  • Use keytool to import your CA Certificate.
    • keytool -import -file "certificate_location" -keystore "/path/to/install_location/bin_directory/jre/7.0/lib/security/cacerts" -storepass "changeit"
    • certificate_location = location of your downloaded CA Certificate
    • install_location = location of your Jenkins or DBB client
    • bin_directory = the Java path identified above
  • Respond yes when asked to trust the certificate.

 

Curl

  • Ensure that you have a copy of the CA certificate and that it is in PEM format.

⚠️ Note that if there is already a CA certificate bundle being using by curl, you may want to just append your CA certificate to the existing CA certificate bundle instead of setting up your own custom CA certificate configuration for your Artifactory's CA certificate using these instructions.

$ ls
ca.pem
  • Create a file called .curlrc in your home directory if it does not exist already.
$ touch .curlrc
  • Open .curlrc in the vim editor.
$ vim .curlrc
  • Press the [i] key for Insert/Edit mode.
  • Add the following configuration to .curlrc:
capath=<absolute path to the folder that contains your ca certificate>
cacert=<absolute path to your ca certificate>
  • Press [Esc] [:] [w] [q] to save the file and exit the vim editor.
  • If you are running curl on z/OS, ensure that your CA certificate and .curlrc file is explicitly tagged. If not, curl may not know to interpret the bytes in these files, and CA certificate validation may fail as a result.
> ls -Tal
...
m IBM-1047    T=off ... file-that-curl-needs-to-read
...
> chtag -t file-that-curl-needs-to-read
> ls -Tal
...
t IBM-1047    T=on  ... file-that-curl-needs-to-read
...
  • Run curl against your internal Artifactory server WITHOUT the -k option to verify that CA certificate validation is working.
$ curl my-internal-artifactory.com
<!--
  ~ Artifactory is a binaries repository manager.
  ~ Copyright (C) 2018 JFrog Ltd.
  ~
  ~ Artifactory is free software: you can redistribute it and/or modify
  ~ it under the terms of the GNU Affero General Public License as published by
  ~ the Free Software Foundation, either version 3 of the License, or
  ~ (at your option) any later version.
  ~
  ~ Artifactory is distributed in the hope that it will be useful,
  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  ~ GNU Affero General Public License for more details.
  ~
  ~ You should have received a copy of the GNU Affero General Public License
  ~ along with Artifactory.  If not, see <http://www.gnu.org/licenses/>.
  -->
<html>
<head>
        <meta http-equiv="refresh" content="0;URL=/artifactory">
</head>
<body>
</body>
</html>

See the Curl SSL Certificate Verification documentation for more details.

Clone this wiki locally