Page tree

Do you want an overview on Nexus' solutions, customer cases, contact information and more?


Skip to end of metadata
Go to start of metadata

This article describes how to set up certificate-based login to Nexus PRIME.

Expand/Collapse All



A working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.

Step-by-step instruction

 Set up authentication profile

The first step is to set up an authentication profile in the PRIME Designer:

  1. Follow the instructions in Set up authentication profile, to set up an authentication profile of any of the following types:
    • Client Certificate and LDAP
    • Client Certificate and Core Object
    • Client Certificate Internal - not recommended in a production environment
  2. Select the certificate attribute the system shall extract the login information from.
    • User Principal Name (UPN): Extracts the information from the SANAttribute "otherName"
    • SAN Email (RFC822Name): Extracts the information from the SANAttribute "rfc822Name"
    • Subject CN: Extracts the information from the CN field
    • Subject Email: Extracts the information from the EMAILADDRESS field
 Set up validation chain for user certificates

When a user logs in to PRIME with a certificate, the PRIME server does a validation of the corresponding certificate revocation lists (CRLs). To check the certificate chain of the CRL Signing CA, there is a separate truststore configured on the PRIME server.

To configure the path to the truststore

  1. On the PRIME server, open the file
  2. Modify the path to the truststore, if needed:

    Example: truststore path in
    jksKeyStoreProvider.keyStorePath = "file:C:/primeCerts/crlCaChain-truststore.jks"
    jksKeyStoreProvider.keyStorePassword = "123456"

    For more information on how to configure a truststore file with the java keytool, see Configure https for Tomcat.

 Access PRIME Designer, Explorer and Self-Service

To access the PRIME components, use the following links: 

URLs to PRIME Designer and PRIME Explorer

For PRIME Self-Service you need to click on the link "Client Certificate Login" on the login page.