If you wish to import SSL/TLS certificates to the Artifactory JVM keystore, we need to place them in $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory. During every startup, the Artifactory Router loads the certificates from the trusted folder to the JVM keystore. If the certificate is already present in the keystore, then it will be skipped during the startup process. Here is a sample log entry for your reference.
2024-02-18T19:23:00.175Z [jfrou] [INFO ] [1c96451bef34e403] [trusted.go:56 ] [main ] [] - Following certificates were successfully loaded as trusted CAs for TLS communication:
[/opt/jfrog/artifactory/var/data/router/keys/trusted/access-root-ca.crt /opt/jfrog/artifactory/var/etc/security/keys/trusted/redhat-cdn-server.crt]
Alternatively, we can also add the certificate to each application's KeyStore. For example, to add a certificate to the JFrog Artifactory Keystore, you can add it directly to the host's JVM's trusted Keystore. We recommend referring to our documentation on Managing TLS certificates for detailed insights.
Note
When you modify/change the certificate (ex: expiry dates after the renewal) and for changes to take effect, we MUST change the file name or create a new file for the modified certificate. Otherwise, if we change the content of the certificate without modifying the name, Artifactory will skip it during the startup process and you will get an PKIX (certificate error)