Just a side comment: cacerts ("the default") truststore shipped with JRE does not always contain all certificates needed. I have run into issue, when using OS default CA certificates handling, the webpage was using valid certificate, but Java was considering the certification path incomplete.
I am using Ubuntu and to mitigate this issue, one can import all certificates from ca-certificates package of Ubuntu into Java truststore to be used with NiFi.
To import all ca-certificates from Ubuntu to your truststore, you can use openssl pkcs12 export tool:
openssl pkcs12 -export -nokeys -in /etc/ssl/certs/ca-certificates.crt -out /etc/nifi/truststore.p12
where /etc/nini/truststore.p12 is the truststore to be set in SSLContextService. Remember to change also the type of keystore to pkcs12 (not JKS).
If you are unlucky, like I was, you may run into issue where JRE is unable to parse PKCS12 generated by openssl (openjdk has this problem with IBM generated file
https://bugzilla.redhat.com/show_bug.cgi?id=961069, it seems like Java implementation of PKCS12 is 'we had to do it, but we don't mind, use JKS).
Then, one can import all /etc/ssl/certs/*.pem files into JKS truststore by using keytool from JDK distribution (this is bash code):
for file in `ls /etc/ssl/certs/*.pem`; do keytool -noprompt -importcert -keystore /etc/nifi/truststore.jks -storepass changeit -file $file -alias $file; done
Now we have JKS type keystore which can be read by Java (it was written by Java so we at least hope so Java can read it). Just set this truststore in SSLContextService and you have all certs which Ubuntu has provided to you as trusted.
As a verification that import worked, one can compare count of *.pem files to count of certificates in truststore:
ls -1 /etc/ssl/certs/*.pem | wc
keytool -storepass changeit -list -keystore /etc/nifi/truststore.jks | grep finge | wc
Number of lines should be equal.
