Prerequisites for Custom TLS Certificate

JFrog Installation & Setup Documentation


When providing your own custom TLS certificate, you will need to provide the matching private key. The certificate will be used by ports 8081 (Artifactory) and 8082 (the Platform router).

By default the JFrog Platform (from Artifactory 7.x and above) requires two public ports. You will need to ensure that both ports are using the same certificate.

  • 8081: served by Artifactory (running on Tomcat)

  • 8082: served by the router

Custom Certificate and CA Prerequisites

Your custom certificate must meet the following prerequisites.

  • The private key must use the RSA algorithm

  • The private key must be at least 1024-bit

  • The certificate must match the provided private key

  • The certificate's issuer must match the CA certificate subject

  • The certificate's subject must match the property shared.node.ip from system.yaml

  • The certificate's Subject Alternative Names (SAN) must include the certificate's subject

  • Key usage extension must be marked CRITICAL

  • Key usage digitalSignature extension must be enabled

  • Key usage keyEncipherment extension must be enabled

  • Extended key usage tlsWebServerAuthentication must be enabled

  • Extended key usage tlsWebClientAuthentication must be enabled