This document describes how to configure Maven for accessing a remote repository that sits behind an HTTPS server which requires client authentication with certificates. It is expected that this documentation be valid both for Maven 1.x and Maven 2.0.
You have a server storing a maven repository at addresse https://my.server.com/maven. This server only serves clients authenticated through SSL protocol by a valid certificate signed by an approved certificate authority's certificate which we call the CACert. In the simplest case where the server is used internally by an identified community of users (eg. corporate intranet), the server's certificate is the certificate authority as the server is used only internally.
So we assume that we have access to the trusted certificate in X.509 format stored in a file named:
The client's certificate has been issued by some other mean not described in this document in PKCS#12 format, which is the format that is accepted by browsers (at least Firefox and Internet Explorer) for importation in their keystore. This file is named:
and we assume it is accessible when launching maven. Note that this file contains the client's private key which may be very sensitive information and so is secured by a password:
The remote repository is referenced either through the pom.xml file (maven2.0) or one of build.properties or project.properties (Maven1.X). In Maven 1.X:
For maven to use this repository, we should take the following steps:
The following command line imports the certififcate authority's certificate into a JKS formatted key store named trust.jks, the trust store.
$> keytool -v -alias mavensrv -import \ -file /somewhere/in/filesystem/CACert.cert\ -keystore trust.jks Enter keystore password: Owner: .... Issuer: .... Serial number: .... Valid from: Mon Feb 21 22:34:25 CET 2005 until: Thu Feb 19 22:34:25 CET 2015 Certificate fingerprints: MD5: ....... SHA1: ..... Trust this certificate? [no]: yes Certificate was added to keystore [Storing trust.jks] $>
Note that it should be possible to import a full chain of certificates with only one root certificate being trusted but the author did not test it.
The following properties must be set at start of maven to be accessible when HttpClient starts up.
Not all the properties must be set depending of your precise settings: type of store may left to default, password may be empty.
They may be set either on maven's command-line, in .mavenrc file or in MAVEN_OPTS environment variable. For the setting defined in this document, here is an example .mavenrc file:
MAVEN_OPTS="-Xmx512m -Djavax.net.ssl.trustStore=trust.jks \ -Djavax.net.ssl.trustStorePassword= \ -Djavax.net.ssl.keyStore=/home/directory/mycertificate.p12 \ -Djavax.net.ssl.keyStoreType=pkcs12 \ -Djavax.net.ssl.keyStorePassword=XXXXXX"