Configure Workstation for PTC
Install the SASE CA certificate and set environment variables on developer workstations so package managers (npm, pip, Docker, and others) trust SSL inspection for Package Traffic Controller (PTC).
Workstation Configuration for PTC
PTC redirected traffic is SSL-inspected by your SASE before it reaches Artifactory. For a developer workstation to participate in PTC, every package client (npm, pip, Docker, and so on) on that workstation must trust the SASE root CA — typically through OS trust stores, application-specific trust stores, or environment variables.
This page covers the workstation-side setup: which scripts to use, the minimum certificate and environment variable expectations, and where to look for client-by-client and OS-by-OS detail. SASE-vendor and Artifactory-side setup is covered in Configure SASE for PTC and Configure Artifactory for PTC.
Run workstation configuration before activating SASE redirect rules that intercept registry traffic — see Deployment Sequence. Trust must be in place before SSL inspection is enabled, otherwise installs break with TLS errors.
Installation Script
Important: This is not JFrog-specific. The certificate installation described in this section is a general requirement for SASE SSL inspection to work properly on any workstation. Any application or CLI tool that makes HTTPS calls through a SASE-inspected network must trust the SASE root CA certificate. This applies regardless of whether JFrog Artifactory or PTC is involved. For an authoritative reference on SSL inspection certificate deployment, see your SASE vendor's documentation (for example, Zscaler's Adding Custom Certificate to an Application-Specific Trust Store).
PTC relies on workstation certificate installation you deploy with the approach that fits your organization (MDM is not required—endpoint management, imaging, scripts, or manual steps are all valid). The scripts extract or reference the SASE CA and set environment variables so Node.js (npm and related clients) and Python/pip trust TLS through SSL inspection, as an example.
Installation scripts may require customer-specific adjustments. Every organization's endpoint configuration, certificate chain, MDM tooling, and security policies differ. Review and adapt scripts to your environment before broad rollout.
This product documentation does not duplicate the script README. For authoritative detail, use:
- Repository root overview: README.md (links to the script guide)
- Scripts and full documentation:
scripts/README.mdin the package-reroute repository.
That README includes: supported OSes, package clients (npm, pnpm, yarn via Node; pip/pipenv/uv with validation notes), environment variables with version applicability, flowchart, test coverage, MDM validation on Action1 (other MDMs may need adjustment), which clients require env-based configuration (typically older npm/Python) vs. which may not need extra environment variables when the OS trust store is sufficient, and the minimum variables needed if you implement the same behavior without the scripts.
For example, you can validate the certificate path used by client tooling:
openssl x509 -in "<SASE_CA_PATH>" -noout -issuerWhere:
<SASE_CA_PATH>is the full path to the SASE CA certificate file used by your package client.
For example:
openssl x509 -in "/opt/certs/sase-ca.pem" -noout -issuerAt a Glance
| Topic | Where it lives |
|---|---|
| Client list, env vars, Node/Python version notes | scripts/README.md |
| CLI options, validation scripts, automated tests | Same repository under scripts/ |
| Why order matters (Artifactory → certs → new sessions → SASE) | Deployment Sequence |
Run the installation before SASE redirect rules that intercept registry traffic are activated (see Deployment Sequence).
Frequently Asked Questions
This section provides answers to frequently asked questions about workstation configuration for Package Traffic Controller (PTC).
FAQs
Q: Is MDM required to distribute the SASE CA certificate?
A: No. MDM (Intune, Jamf, and similar tools) is optional. You can use imaging, configuration management, login scripts, or guided manual steps—especially in labs and pilots.
Q: Where is the authoritative client and OS matrix for install scripts?
A: Use scripts/README.md in the package-reroute repository for supported clients, environment variables, and validation steps. See Installation Script.
Q: Do developers need a full machine reboot after certificate changes?
A: No. New terminal sessions or an IDE restart pick up updated environment variables. Mandatory fleet-wide reboots alone do not fix TLS trust issues.