If you need to configure Nexus to proxy a remote repository which requires a SSL Client Certificate, you’ll need to import the certificate included with your Nexus license into the JVM used to run your Nexus instance. To make this process simpler, you can use our import-ssl tool. We’ve created a simple command-line utility which automates the process of loading the Server SSL Chain and the client certificate into a JVM.
The import-ssl tool can be downloaded from: http://central.sonatype.com/help/import-ssl.jar
Importing a client certificate involves two steps: importing the server’s SSL chain and importing the client SSL key/certificate pair. Some notes about the location of the key-store and default key-store passwords:
- If you are using the default JSSE key-store locations on either a Linux or OS X platform, you must run the commands below as the root user. You can do this either by changing to the root user (su -), or by using the sudo command: sudo [command].
- The default password used by Java for the built-in key-stores is changeit. If your key-store uses a different password, you’ll need to specify that password as the last parameter on the command lines above.
- If you want to specify your own key-store location, provide that in place of <keystore_dir> in the examples below.
- If you’re using a password other than changeit for your keystore, you should supply it immediately following the keystore path in the commands below.
- If you specify a keystore location that doesn’t exist, the import-ssl utility will create it on-demand.
Before you begin the process of importing a Server SSL Chain and a client certificate you will need three things:
- Network access to the SSL server you are connecting to,
- An SSL client certificate,
- and a certificate password.
The first command imports the entire self-signed SSL certificate chain for central.sonatype.com into your JSSE keystore:
$ java -jar import-ssl.jar server central.sonatype.com \ <keystore_dir>
You would substitute the server name used in the previous listing with the server name you are attempting to connect to. This particular command will connect to https://central.sonatype.com, retrieve, and import the server’s SSL certificate chain.
The second command imports your client-side SSL certificate into the JSSE keystore, so Nexus can send it along to the server for authentication:
$ java -jar import-ssl.jar client <your-certificate.p12> \ <your-certificate-password> <keystore_dir>
When the client command completes, you should see a line containing the keystore path, like the one that follows. This path is important; you will use it in your Nexus configuration below, so make a note of it!
... Writing keystore: /System/Library/Frameworks/JavaVM.framework/\ Versions/1.6.0/Home/lib/security/jssecacerts
Once both sets of SSL certificates are imported to your keystore, you can modify the Nexus $NEXUS_HOME/conf/wrapper.conf file to inject the JSSE system properties necessary to use these certificates, as seen below.
Note
In the following example, line prefixes like wrapper.java.additional.4 are meant to be appended to the existing wrapper.java.additional.* lines in the wrapper.conf file. In future versions of Nexus, new JVM command-line arguments may be specified in this file. In such a case, where the specific numbers 4 and 5 may be taken, simply increment and use the next two unused numbers.
wrapper.java.additional.4=-Djavax.net.ssl.keyStore=<keystore_dir> wrapper.java.additional.5=-Djavax.net.ssl.keyStorePassword=<keystore_password>
Once you have configured the Nexus start-up option shown above, restart Nexus and attempt to proxy a remote repository which requires an SSL client certificate. Nexus will use the keystore location and keystore password to configure the SSL interaction to accept the server’s SSL certificate and send the appropriate client SSL certificate.
