Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Clarification on Enabling SSL for NiFi from existing certificate

Clarification on Enabling SSL for NiFi from existing certificate

Contributor

I am trying to enable SSL on my NiFi instance and I had our Dev Ops team get me a certificate from a trusted CA (We use Comodo for our corporate certificates). They gave me a .cer file (i.e. mt-ssl-cert.cer) and I've looked at all of the posts and the documentation on how to do this, but it seems I am missing something. All of the posts and documentation say if you are using an existing certificate copy the certificate to the nifi conf directory and then enter the location, type, and passwords for the truststore and keystore. Where does one, get this info? Do I need to create my own them on the server and import the certificate I got? If so, can someone help point me in the direction of some instructions? Configuring SSL is foreign to me and I've never had to do anything with it before. Most of the information I find on how to do this on-line refer to self-signed certificates, but I can't seem to find any details on how to do this in a corporate infrastructure. Thanks in advance for your help.

2 REPLIES 2
Highlighted

Re: Clarification on Enabling SSL for NiFi from existing certificate

Eric,

The public certificate they provided you is not sufficient to secure your system. You (eventually) need a Java Keystore (*.jks) file that contains the PrivateKeyEntry -- the private key that corresponds to the public key you currently have contained in a certificate. There are many guides on the internet for building a keystore from the private key (you'll have to go through an intermediate step of importing it into a PKCS12 keystore first then converting that to JKS). Once you have done this, you configure nifi.properties with the keystore path, password, and type.

You will need to either obtain the private key from your DevOps team, or generate your own and send them a Certificate Signing Request (CSR) which allows you to keep the private key on your system and not expose it to anyone else during the signing process. Once you have the private key, follow the instructions linked above to build the keystore.

Highlighted

Re: Clarification on Enabling SSL for NiFi from existing certificate

Contributor

Thank you @Andy LoPresto! That helps a lot with the details. I'm waiting on Dev Ops to supply me with the private key, so I haven't been able to try this yet, but it's seems pretty straight forward now.

Don't have an account?
Coming from Hortonworks? Activate your account here