Automatic import of private CA certificates in Windows.#3441

Open

Cesar-DC wants to merge 1 commit into

jfrog:master from

Cesar-DC:feat/windows-auto-ca-bootstrap

Open

Automatic import of private CA certificates in Windows. #3441
Cesar-DC wants to merge 1 commit into
jfrog:master from
Cesar-DC:feat/windows-auto-ca-bootstrap

Conversation

@Cesar-DC

@Cesar-DC Cesar-DC commented Apr 16, 2026

Copy link

Copy Markdown

Summary

This PR adds a Windows-specific preflight step to improve handling of private PKI certificates in JFrog CLI.

When a command includes a target URL, the CLI:

Performs a TLS handshake using the Windows trust store
Extracts the verified certificate chain
Writes the certificates (leaf, intermediate, root) into:
~/.jfrog/security/certs
Continues execution

Motivation

On Windows, JFrog CLI may fail with:

even when the certificate is already trusted by the OS.

Manually exporting the site certificate from a browser and placing it in ~/.jfrog/security/certs resolves the issue.

This patch automates that process.

Behavior

Windows only
Triggered when --url or JFROG_URL is provided
Writes:
- leaf.pem
- intermediate.pem
- root.pem

Testing

Validated locally:

jf.exe rt ping --url=https://<host>/artifactory


 Add Windows TLS certificate bootstrap preflight

5a14e51

@Cesar-DC Cesar-DC had a problem deploying to frogbot

April 16, 2026 11:48

— with GitHub Actions Failure

@github-actions

github-actions Bot commented Apr 16, 2026

Copy link

Copy Markdown

Contributor

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

CULOT CÉSAR seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You can retrigger this bot by commenting recheck in this Pull Request.}_{Posted by the CLA Assistant Lite bot.}

RemiBou

RemiBou requested changes

Apr 16, 2026

View reviewed changes

@RemiBou RemiBou left a comment

Copy link

Copy Markdown

Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add tests

internal/certbootstrap/persist.go

@@ -0,0 +1,71 @@

package certbootstrap

@RemiBou RemiBou Apr 16, 2026

Copy link

Copy Markdown

Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add tests

internal/certbootstrap/persist.go

return filepath.Join(home, ".jfrog")

}

func PersistVerifiedChain(jfrogHome string, chain []*x509.Certificate) (int, error) {

@RemiBou RemiBou Apr 16, 2026

Copy link

Copy Markdown

Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need to persist the chain ?

@Cesar-DC Cesar-DC Apr 16, 2026

Copy link

Copy Markdown

Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Go on Windows can validate a certificate against the CAs available in the Windows certificate store (typically managed by a corporate PKI team).

If the connection is successfully validated by Go, we can safely extract and copy the certificate chain into the location expected by JFrog CLI (~/.jfrog/security/certs).

This approach avoids a full rewrite of the CLI to directly support the Windows certificate store. Instead, it preserves the existing mechanism (manual placement of private CA certificates), while leveraging Go’s ability to interact with the system certificate store to ensure the chain we import is trusted.