Mutual Transport Layer Security (mTLS) is a protocol that mandates both the sender and receiver to authenticate each other before establishing a secure connection. Each party verifies the other’s certificate, ensuring authenticity and trust. This establishes a secure connection between both the parties.
Use mutual TLS to securely authenticate to artifact repositories.
Set up mTLS
Perform the following steps to set up a secure mTLS connection:
If your certificate is in PKCS12 format, you can start with step 1. If you already have a PEM certificate, you can skip to step 2.
-
Generate client certificate and client key
Run the following command to generate the client certificate in the Privacy Enhanced Mail (PEM) format. Replace
<pkcs12 file> with the name of your .p12 file.
openssl pkcs12 -in <pkcs12 file>.p12 -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > client.crt
<pkcs12 file> with the name of your .p12 file.
openssl pkcs12 -in <pkcs12 file>.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > client.key
-
Format the client certificate and client key as json
Run the following command to format the client certificate as json:
awk '{printf "%s\\n", $0}' client.crt
awk '{printf "%s\\n", $0}' client.key
-
Create a package manager resource after generating the client certificate and client key.
Authenticate to Gradle repository
Run the following command to create a package manager resource and authenticate to Gradle artifact repository. Replace namespace with your namespace.
endorctl api create -n <namespace> -r packageManager -d '{
"meta": {
"name": "test mtls for npm creation",
"description": "test mtls creation"
},
"spec": {
"gradle": {
"property_key_name": "ENDOR_MTLS_CONFIGURATION",
"property_key_value": "any non empty value",
"mtls": {
"client_cert": "formatted pem client.crt",
"client_key": "formatted pem client.key"
}
}
}
}'
The property_key_name must be set exactly as ENDOR_MTLS_CONFIGURATION.
Authenticate to Maven repository
Run the following command to create a package manager resource and authenticate to Maven repository.
Replace:
namespace with your namespace.https://nexus.example.com/repository/public with your Maven repository URL.
endorctl api create -n <namespace> -r packageManager -d '{
"meta": {
"name": "test mtls for npm creation",
"description": "test mtls creation"
},
"spec": {
"mvn": {
"url": "https://nexus.example.com/repository/public",
"mtls": {
"client_cert": "formatted pem client.crt",
"client_key": "formatted pem client.key"
}
}
}
}'
Authenticate to PyPI repository
Run the following command to create a package manager resource and authenticate to PyPI repository.
Replace:
namespace with your namespace.https://nexus.example.com/repository/pypi with your PyPI repository URL.
endorctl api create -n <namespace> -r packageManager -d '{
"meta": {
"name": "test mtls for python creation",
"description": "test mtls creation"
},
"spec": {
"pypi": {
"priority": 1,
"url": "https://nexus.example.com/repository/pypi",
"mtls": {
"client_cert": "formatted pem client.crt",
"client_key": "formatted pem client.key"
}
}
}
}'
Authenticate to npm registry
Run the following command to create a package manager resource and authenticate to npm registry.
Replace:
namespace with your namespace.https://nexus.example.com/repository/npm with your npm registry URL.
endorctl api create -n <namespace> -r packageManager -d '{
"meta": {
"name": "test mtls for npm creation",
"description": "test mtls creation"
},
"spec": {
"npm": {
"url": "https://nexus.example.com/repository/npm",
"mtls": {
"client_cert": "formatted pem client.crt",
"client_key": "formatted pem client.key"
}
}
}
}'
