Try JFrog
Guides
Contact SupportTry JFrog
  1. CLI

Artifactory Authentication

When used with Artifactory, JFrog CLI offers several means of authentication: JFrog CLI does not support accessing Artifactory without authentication.

For a complete overview of all authentication methods — including username/password, access tokens, browser login (jf login), OIDC token exchange, environment variable authentication, and troubleshooting — see Authenticating via the CLI.

This page covers Artifactory-specific authentication methods that require additional setup: RSA key authentication, mutual TLS (mTLS) client certificates, and custom CA certificate configuration.

📘

Before you begin

The connection tests on this page (for example, jf rt ping) require a JFrog server to be configured with valid credentials. If you have not done this yet, see Authenticating via the CLI to configure a server first. To verify your current configuration, run jf config show.

Authenticating with RSA Keys

From version 4.4, Artifactory supports SSH authentication using RSA public and private keys.

Prerequisites

  1. SSH authentication must be enabled on your Artifactory server. See Manage SSH Keys in the JFrog Platform Administration documentation.

  2. Your public key must be added to your Artifactory user profile.

Limitations

🚧

Warning

RSA key authentication is NOT supported when working with:

  • External package managers and build tools (Maven, Gradle, npm, Docker, Go, NuGet)
  • The cUrl integration (jf rt curl)

Command Options

OptionDescription
--urlArtifactory SSH URL. Format: ssh://[host]:[port]
--ssh-key-pathPath to the SSH private key file.
--ssh-passphrase[Optional] Passphrase for the SSH key, if encrypted.

SSH URL Format

Configure your Artifactory URL to use the SSH format: ssh://[host]:[port]

🚧

Warning

Do NOT include the Artifactory context URL. The [host] component should only include the hostname or IP address, not the /artifactory path.

📘

Correct Examples

ssh://artifactory.mycompany.com:1339
ssh://192.168.1.100:22
📘

Incorrect Examples

ssh://artifactory.mycompany.com/artifactory   ❌
https://artifactory.mycompany.com:1339        ❌

To authenticate with RSA keys:

  1. Complete the prerequisites and confirm RSA is appropriate for your workflow (see Limitations under this section).
  2. Use the SSH URL format described under SSH URL Format.
  3. Run the commands for Method 1 or Method 2, depending on whether you want a saved server configuration or a per-command connection.

Configuration Methods

📘

Flag note

SSH authentication uses two different URL flags depending on the command:

  • jf config add uses --artifactory-url (the Artifactory-specific endpoint, for example, ssh://host:port)
  • Per-command options (for example, jf rt ping) use --url with the same SSH format

For non-SSH authentication, jf config add uses --url (the JFrog Platform URL, for example, https://acme.jfrog.io).

Method 1: Using jf config add

jf config add my-server \
  --artifactory-url=ssh://artifactory.mycompany.com:1339 \
  --ssh-key-path=~/.ssh/id_rsa \
  --ssh-passphrase=your-passphrase

Method 2: Per-command options

jf rt ping \
  --url=ssh://artifactory.mycompany.com:1339 \
  --ssh-key-path=~/.ssh/id_rsa

Authenticating Using Client Certificates (mTLS)

From Artifactory release 7.38.4, you can authenticate users using client certificates (mTLS). This requires a reverse proxy (for example, Nginx) with appropriate configuration. See HTTP Settings in the JFrog Artifactory documentation for setup instructions.

Limitations

📘

Note

Authentication using client certificates (mTLS) is NOT supported by commands that integrate with package managers.

To authenticate using client certificates (mTLS):

  1. Review the limitations above for commands that do not support mTLS.
  2. Run jf config add or per-command jf rt ping with --client-cert-path and --client-cert-key-path as shown in the Example section below.

Command Options

OptionDescription
--urlJFrog Platform URL.
--client-cert-pathPath to the client certificate file in PEM format.
--client-cert-key-pathPath to the private key file for the client certificate in PEM format.

Example

Using jf config add:

jf config add my-server \
  --url=https://acme.jfrog.io \
  --client-cert-path=/path/to/client-cert.pem \
  --client-cert-key-path=/path/to/client-key.pem

Per-command usage:

jf rt ping \
  --url=https://acme.jfrog.io/artifactory \
  --client-cert-path=/path/to/client-cert.pem \
  --client-cert-key-path=/path/to/client-key.pem

Combined with Other Authentication

mTLS can be combined with username/password or access token authentication:

jf config add my-server \
  --url=https://acme.jfrog.io \
  --client-cert-path=/path/to/client-cert.pem \
  --client-cert-key-path=/path/to/client-key.pem \
  --user=myuser \
  --password=mypassword

Certificate Format Requirements

  • Both certificate and key files must be in PEM format
  • The private key file should have restricted permissions (chmod 600)

Verify certificate and key match:

📘

Note

The following commands use your system's openssl installation, not JFrog CLI. Run them in your terminal to confirm the certificate and private key are a matched pair before configuring JFrog CLI.

# These two commands should output the same MD5 hash
openssl x509 -noout -modulus -in client-cert.pem | openssl md5
openssl rsa -noout -modulus -in client-key.pem | openssl md5

Not Using a Public CA (Certificate Authority)?

This section applies if you're not using a public CA to issue the SSL certificate for your Artifactory domain. This includes:

  • Self-signed certificates
  • Internal PKI services (for example, Microsoft CA)
  • Private Certificate Authorities

Adding Custom CA Certificates

Place your CA certificates in the security/certs directory under JFrog CLI's home directory:

~/.jfrog/security/certs/

If you've customized the home directory using the JFROG_CLI_HOME_DIR environment variable, use:

$JFROG_CLI_HOME_DIR/security/certs/

Certificate Requirements

RequirementDetails
FormatPEM format (file should contain -----BEGIN CERTIFICATE-----)
File Extension.pem recommended
Multiple CertificatesSupported. Run c_rehash on the directory after adding multiple certificates. c_rehash is provided by OpenSSL — install with brew install openssl (macOS) or sudo apt install openssl (Debian/Ubuntu).

To add custom CA certificates to JFrog CLI:

  1. Create the certificates directory:

    mkdir -p ~/.jfrog/security/certs

  2. Copy your CA certificate:

    cp /path/to/your-ca-cert.pem ~/.jfrog/security/certs/

  3. If using multiple certificates, run c_rehash:

    c_rehash ~/.jfrog/security/certs/

    Note: c_rehash creates hash symlinks for each valid certificate and outputs no message on success. If you see OpenSSL error messages (for example, Could not find certificate from <file>), the certificate file may be malformed or not in PEM format. Verify the file starts with -----BEGIN CERTIFICATE-----.

  4. Test the connection:

    jf rt ping --url=https://your-server.com/artifactory

    Expected output:

    OK

    Note: Replace https://your-server.com/artifactory with your Artifactory URL. If you have already configured a default server via jf config add, you can also run jf rt ping without any flags to use that server. A 401 response indicates a credentials problem with your configured server, not a CA certificate issue.

Downloading a Certificate from a Server

If you need to extract the certificate from a running server, use your system's openssl tool (not JFrog CLI):

echo | openssl s_client -servername your-server.com -connect your-server.com:443 2>/dev/null | \
  openssl x509 -out ~/.jfrog/security/certs/your-server.pem

Replace your-server.com with your Artifactory hostname. The certificate is saved to ~/.jfrog/security/certs/your-server.pem.

Fallback: Skip TLS Verification

Some commands support the --insecure-tls option, which skips TLS certificate verification:

# Per-command
jf rt ping --url=https://your-server.com/artifactory --insecure-tls

Expected output:

OK
# During configuration — include your credentials alongside --insecure-tls
jf config add my-server \
  --url=https://your-server.com \
  --access-token=your-access-token \
  --insecure-tls
📘

Note

The jf config add command above will prompt interactively for credentials if none are provided via flags. Use --access-token or --user / --password to supply credentials non-interactively (for example, in CI/CD pipelines).

🚧

Warning

Using --insecure-tls disables all certificate verification and should only be used for testing or in trusted network environments.

Migration from Versions Before 1.37.0

Before version 1.37.0, JFrog CLI expected certificates to be located directly under the security directory (not in a certs subdirectory).

  • Old location: ~/.jfrog/security/
  • New location: ~/.jfrog/security/certs/

JFrog CLI automatically migrates certificates to the new directory when upgrading to version 1.37.0 or above. A backup of the old configuration is stored in ~/.jfrog/backup.

📘

Note

Downgrading to an older version requires manually restoring the configuration from the backup directory.

Updated 13 days ago

What’s Next

Once authenticated, upload your first file to Artifactory.