Using client certificate for server authentication

I’m trying to contact a maven repo which requires a custom client certificate.
The documentation -connection-settings | bnd is not mentioning anything on it.
In a pure Java example I can configure the system props and provide a default Authenticator and it works.

System.getProperties().put("", "pkcs12");
System.getProperties().put("", "pw");
System.getProperties().put("", "pw");

Authenticator.setDefault(new Authenticator() {
	protected PasswordAuthentication getPasswordAuthentication() {
		return new PasswordAuthentication(USER, PW.toCharArray());

Is this feasible available for bnd?

Unfortunately not … yet. It has been on my list for a long time. You could try to provide the information with the -D when bnd is invoked. You can do this at Eclipse startup and Gradle.

Thx for the info Peter.
I patched the /biz.aQute.bndlib/src/aQute/bnd/http/
with this code.

if (Boolean.valueOf(System.getProperty("bnd.basicAuth")) == true) {
	logger.debug("using basic auth");
	String user = System.getProperty("bnd.basicAuthUser");
	String pw = System.getProperty("bnd.basicAuthPassword");
	String userpass = user + ":" + pw;
	String basicAuth = "Basic " + new String(Base64.getEncoder()
	urlc.setRequestProperty("Authorization", basicAuth);
return urlc;

giving me the option to add a basic auth feature via sys props.
Together with the* sys props it works then.

What would be your approach to add this feature permanently?

This is just basic authentication, which is already supported by the connection settings?

I am not sure I understand the relation to certificates?

It looks as there is a combination of connection settings (e.g. suspect is the verify) and properties which are not working. I will try to investigate it more and hopefully provide a testcase for /biz.aQute.bndlib.comm.tests/test/aQute/bnd/comm/tests/

You might want to look at aQute.bnd.url.HttpsVerification. It already does some certificate handling to verify the host and it creates its own SSL socket factory.

Thx, I will have a look.

I’ve found a solution: in your connection-settings.xml you need to specify <verify>true</verify> and no <trust> like this:

<?xml version="1.0" encoding="UTF-8"?>


This is the only combination - besides no settings at all - that uses the default Http handler and thus allows client certificates to be sent.

Actually it is sufficient to have neither <verify> nor <trust> in your connection-settings.xml.

Thanks, I’ve updated the document to explain this.