How to Establish a Circle of Trust

JFrog Platform Administration Documentation

Content Type
Administration / Platform

To establish a "Circle of Trust" between JFrog services, you will need to exchange the public token certificate between the services.

Services that are within the circle of trust have complete admin privileges on each other. To exchange the certificates, you need to copy a service’s root certificate to another service’s$JFROG_HOME/artifactory/var/etc/access/keys/trustedfolder.

The service's root certificate can be acquired in the following ways:

  • found under$JFROG_HOME/artifactory/var/etc/access/keys/root.crt(requires physical access to the server)

  • by calling the Get Root Certificate REST APIGet Root Certificate


The root.crt will disappear from the target's trusted folder and will be placed in the Artifactory database.

Trust can be created between multiple services: you need to make sure that all participating instances in the circle of trust are equipped with the relevant public keys (root certificate). Note that a trust can be unidirectional or bidirectional. The service watches a directory of trusted public keys and reloads the keys when it needs to verify a token

Renaming the source service’s certificate

Since trust can be created between multiple services, you should rename each source service’s certificate with a meaningful name. For example, if one service named “us-east” should be trusted by another service named “us-west”, then$JFROG_HOME/artifactory/var/etc/access/keys/root.crt from us-east, should be copied to$JFROG_HOME/artifactory/var/etc/access/keys/trusted/us-east.crton us-west.

Use the same Artifactory userid and groupid

Make sure you give the same Artifactoryuseridandgroupidto the root certificate in the trusted folder ($ARTIFACTORY_HOME/access/etc/keys/trusted/*) by comparing to the other files from the previous folder ($ARTIFACTORY_HOME/access/etc/keys/).