Mutual Transport Layer Security (mTLS) is a protocol that mandates both the sender and receiver to authenticate each other before establishing a secure connection. Each party verifies the other’s certificate, ensuring authenticity and trust. This establishes a secure connection between both the parties.
Use mutual TLS to securely authenticate to artifact repositories.
Set up mTLS Perform the following steps to set up a secure mTLS connection:
If your certificate is in PKCS12 format, you can start with step 1. If you already have a PEM certificate, you can skip to step 2.
Generate client certificate and client key
Run the following command to generate the client certificate in the Privacy Enhanced Mail (PEM) format. Replace <pkcs12 file> with the name of your .p12 file.
openssl pkcs12 -in < pkcs12 fil e > .p12 -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > client.crt
Run the following command to generate the client key in the Privacy Enhanced Mail (PEM) format. Replace <pkcs12 file> with the name of your .p12 file.
openssl pkcs12 -in < pkcs12 fil e > .p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > client.key
Ensure you have your PKCS12 certificate and its password ready. When prompted, enter the password.
Format the client certificate and client key as json
Run the following command to format the client certificate as json:
awk '{printf "%s\\n", $0}' client.crt
Run the following command to format the client key as json:
awk '{printf "%s\\n", $0}' client.key
Create a package manager resource after generating the client certificate and client key.
Authenticate to Gradle repository Run the following command to create a package manager resource and authenticate to Gradle artifact repository. Replace namespace with your namespace.
endorctl api create -n < namespac e > -r packageManager -d '{ "meta": { "name": "test mtls for npm creation", "description": "test mtls creation" }, "spec": { "gradle": { "property_key_name": "ENDOR_MTLS_CONFIGURATION", "property_key_value": "any non empty value", "mtls": { "client_cert": "formatted pem client.crt", "client_key": "formatted pem client.key" } } } }'
The property_key_name must match exactly ENDOR_MTLS_CONFIGURATION .
Authenticate to Maven repository Run the following command to create a package manager resource and authenticate to Maven repository.
Replace:
namespace with your namespace.https://nexus.example.com/repository/public with your Maven repository URL.
endorctl api create -n < namespac e > -r packageManager -d '{ "meta": { "name": "test mtls for npm creation", "description": "test mtls creation" }, "spec": { "mvn": { "url": "https://nexus.example.com/repository/public", "mtls": { "client_cert": "formatted pem client.crt", "client_key": "formatted pem client.key" } } } }'
Authenticate to PyPI repository Run the following command to create a package manager resource and authenticate to PyPI repository.
Replace:
namespace with your namespace.https://nexus.example.com/repository/pypi with your PyPI repository URL.
endorctl api create -n < namespac e > -r packageManager -d '{ "meta": { "name": "test mtls for python creation", "description": "test mtls creation" }, "spec": { "pypi": { "priority": 1, "url": "https://nexus.example.com/repository/pypi", "mtls": { "client_cert": "formatted pem client.crt", "client_key": "formatted pem client.key" } } } }'
Authenticate to npm registry Run the following command to create a package manager resource and authenticate to npm registry.
Replace:
namespace with your namespace.https://nexus.example.com/repository/npm with your npm registry URL.
endorctl api create -n < namespac e > -r packageManager -d '{ "meta": { "name": "test mtls for npm creation", "description": "test mtls creation" }, "spec": { "npm": { "url": "https://nexus.example.com/repository/npm", "mtls": { "client_cert": "formatted pem client.crt", "client_key": "formatted pem client.key" } } } }'
