Support Questions
Find answers, ask questions, and share your expertise

Does NiFi CA generate self signed or signed cert?

Super Guru

Our browser requires interacting with only signed certificates. Does NiFi CA generate self signed or signed certs? I assume it is self signed and not integrated with a real certificate authoruity. But not sure. Feedback appreciated.


Super Guru

Thanks @Andrew Grande for confirming they are self signed.

Master Guru



Just to add some clarity. The NiFi CA is a self-signed certificate authority (Meaning the NiFi CA's certificate is a root level CA and has not had its certificate signed by a higher authority). The NiFi TLS toolkit can be used to create client/server certificates that are then signed by this authority for use by NiFi. The truststore.jks file used by NiFi typically contains all the "trustedCertEntries" needed to authenticate any client certificates used to authenticate against NiFi. So this would include the trustedCertEntry for the NiFi CA. The keystore.jks file used by NiFi could contain the PrivateKeyEntry (which is the certificate that has been signed by the NiFi CA).


Within a browser there are certificates and a number of default and possibly user added Authorities. In order for your browser to trust any certificate signed by the NiFi CA, the public certificate for your NiFi CA must be added to your browsers trusted authorities.


For example, you can see I have done that in Firefox here:


You will see "Apache-NiFi CA" has been added.

Now this browser will trust any certificate that has been signed by that authority.


Thank you,


I have provided a feature implementation (NIFI-5476 | PR 2935) in the current Apache NiFi master branch which allows the TLS Toolkit running in standalone mode to use an externally-signed CA certificate to sign node certificates. With this capability, you can purchase/obtain a certificate signed by a known (browser-installed) CA, which will be trusted by browsers. You can then use this certificate to sign node certificates. I am currently working on enabling the same feature in client/server mode, but it is not yet present.

New Contributor

@MattWho  Can you please tell how to add NIFI CA in authorities?

Currently we have use p12 file everytime for new DN generated by toolkit.

Do we need to add nifi-cert.pem while creating authority?



Master Guru



It is not clear to me what you are asking when you say "add NIFI CA in authorities".


Instructions on using the NiFi TLS toolkit can be found here:


Using the Client/Server Tls Toolkit operational mode covered here:

Will give you the ability to create a running NiFi CA authority "server" which will sign your NiFi node certificates created using the "client" mode.




; ;