https://community.cloudera.com/t5/Support-Questions/Using-CA-issued-cert-for-SSL/m-p/331606#M230922 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/94023">@dontiffjr</a>&nbsp;<BR /><BR />The exception in your browser&nbsp;<SPAN>ERR_CERT_AUTHORITY_INVALID typically means that the trust chain for your NiFi's serverAuth certificate is not trusted by your browser.&nbsp; You should see an option in the browser to "proceed to ...".&nbsp; If you click on that, can you get to the NiFi UI?<BR />You can also use openssl command to inspect the server hello coming from your NiFi and obtain the public cert for your NiFi server's certificate.&nbsp; You can load those public certificates into you browser trust.<BR /></SPAN></P><LI-CODE lang="markup">openssl s_client -connect &lt;nifi-hostname&gt;:&lt;nifi-port&gt; -showcerts</LI-CODE><P><SPAN><BR /><BR />Next thing to look at would be the contents of your certificate.<BR /></SPAN></P><LI-CODE lang="markup">&lt;path to java&gt;/bin/keytool -v -list -keystore &lt;path to&gt;/keystore.jks</LI-CODE><P><SPAN>You'll want to make sure it contains:<BR />1. A DN that does not contain wildcards<BR /></SPAN></P><P><SPAN>2. ExtendedKeyUsage (EKU) with both clientAuth and serverAuth<BR />3. SubjectAlternativeName (SAN) with entry that matches the hostname of the server on which it is being used.<BR />4. verify issue and expiration dates for certificate and that server clock and your local client machine where you are using browser has same date and time.<BR /><BR /></SPAN></P><P>If you found this response assisted with your query, please take a moment to login and click on "<STRONG>Accept as Solution</STRONG>" below this post.<BR /><BR />Thank you,</P><P>Matt</P><P><SPAN>&nbsp;</SPAN></P> Fri, 03 Dec 2021 13:39:26 GMT MattWho 2021-12-03T13:39:26Z