Artifactory Authentication
When used with Artifactory, JFrog CLI offers several means of authentication: JFrog CLI does not support accessing Artifactory without authentication.
For a complete overview of all authentication methods — including username/password, access tokens, browser login (jf login), OIDC token exchange, environment variable authentication, and troubleshooting — see Authenticating via the CLI.
This page covers Artifactory-specific authentication methods that require additional setup: RSA key authentication, mutual TLS (mTLS) client certificates, and custom CA certificate configuration.
Authenticating with RSA Keys
From version 4.4, Artifactory supports SSH authentication using RSA public and private keys.
Prerequisites
-
SSH authentication must be enabled on your Artifactory server. See Manage SSH Keys in the JFrog Platform Administration documentation.
-
Your public key must be added to your Artifactory user profile.
Limitations
Warning: RSA key authentication is NOT supported when working with:
- External package managers and build tools (Maven, Gradle, npm, Docker, Go, NuGet)
- The cUrl integration (
jf rt curl)
Command Options
| Option | Description |
|---|---|
--url | Artifactory SSH URL. Format: ssh://[host]:[port] |
--ssh-key-path | Path to the SSH private key file. |
--ssh-passphrase | [Optional] Passphrase for the SSH key, if encrypted. |
SSH URL Format
Configure your Artifactory URL to use the SSH format: ssh://[host]:[port]
Warning: Do NOT include the Artifactory context URL. The
[host]component should only include the hostname or IP address, not the/artifactorypath.Correct Examples:
ssh://artifactory.mycompany.com:1339 ssh://192.168.1.100:22Incorrect Examples:
ssh://artifactory.mycompany.com/artifactory ❌ https://artifactory.mycompany.com:1339 ❌
Configuration Methods
Method 1: Using jf config add
jf config add my-server \
--artifactory-url=ssh://artifactory.mycompany.com:1339 \
--ssh-key-path=~/.ssh/id_rsa \
--ssh-passphrase=your-passphraseMethod 2: Per-command options
jf rt ping \
--url=ssh://artifactory.mycompany.com:1339 \
--ssh-key-path=~/.ssh/id_rsaAuthenticating Using Client Certificates (mTLS)
From Artifactory release 7.38.4, you can authenticate users using client certificates (mTLS). This requires a reverse proxy (e.g., Nginx) with appropriate configuration. See HTTP Settings in the JFrog Artifactory documentation for setup instructions.
Limitations
Note: Authentication using client certificates (mTLS) is NOT supported by commands that integrate with package managers.
Command Options
| Option | Description |
|---|---|
--url | JFrog Platform URL. |
--client-cert-path | Path to the client certificate file in PEM format. |
--client-cert-key-path | Path to the private key file for the client certificate in PEM format. |
Example
Using jf config add:
jf config add my-server \
--url=https://acme.jfrog.io \
--client-cert-path=/path/to/client-cert.pem \
--client-cert-key-path=/path/to/client-key.pemPer-command usage:
jf rt ping \
--url=https://acme.jfrog.io/artifactory \
--client-cert-path=/path/to/client-cert.pem \
--client-cert-key-path=/path/to/client-key.pemCombined with Other Authentication
mTLS can be combined with username/password or access token authentication:
jf config add my-server \
--url=https://acme.jfrog.io \
--client-cert-path=/path/to/client-cert.pem \
--client-cert-key-path=/path/to/client-key.pem \
--user=myuser \
--password=mypasswordCertificate Format Requirements
- Both certificate and key files must be in PEM format
- The private key file should have restricted permissions (
chmod 600)
Verify certificate and key match:
# These two commands should output the same MD5 hash
openssl x509 -noout -modulus -in client-cert.pem | openssl md5
openssl rsa -noout -modulus -in client-key.pem | openssl md5Not Using a Public CA (Certificate Authority)?
This section applies if you're not using a public CA to issue the SSL certificate for your Artifactory domain. This includes:
- Self-signed certificates
- Internal PKI services (e.g., Microsoft CA)
- Private Certificate Authorities
Adding Custom CA Certificates
Place your CA certificates in the security/certs directory under JFrog CLI's home directory:
~/.jfrog/security/certs/If you've customized the home directory using the JFROG_CLI_HOME_DIR environment variable, use:
$JFROG_CLI_HOME_DIR/security/certs/Certificate Requirements
| Requirement | Details |
|---|---|
| Format | PEM format (file should contain -----BEGIN CERTIFICATE-----) |
| File Extension | .pem recommended |
| Multiple Certificates | Supported. Run c_rehash on the directory after adding multiple certificates. |
Setup Steps
-
Create the certificates directory:
mkdir -p ~/.jfrog/security/certs -
Copy your CA certificate:
cp /path/to/your-ca-cert.pem ~/.jfrog/security/certs/ -
If using multiple certificates, run c_rehash:
c_rehash ~/.jfrog/security/certs/ -
Test the connection:
jf rt ping
Downloading a Certificate from a Server
If you need to extract the certificate from a running server:
echo | openssl s_client -servername your-server.com -connect your-server.com:443 2>/dev/null | \
openssl x509 -out ~/.jfrog/security/certs/your-server.pemFallback: Skip TLS Verification
Some commands support the --insecure-tls option, which skips TLS certificate verification:
# Per-command
jf rt ping --insecure-tls
# During configuration
jf config add my-server --url=https://... --insecure-tlsWarning: Using
--insecure-tlsdisables all certificate verification and should only be used for testing or in trusted network environments.
Migration from Versions Before 1.37.0
Before version 1.37.0, JFrog CLI expected certificates to be located directly under the security directory (not in a certs subdirectory).
- Old location:
~/.jfrog/security/ - New location:
~/.jfrog/security/certs/
JFrog CLI automatically migrates certificates to the new directory when upgrading to version 1.37.0 or above. A backup of the old configuration is stored in ~/.jfrog/backup.
Note: Downgrading to an older version requires manually restoring the configuration from the backup directory.
Updated 8 days ago