Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How will I set up Secure NIFI cluster that using my real Cert that I bought instead of self generate.

avatar
Contributor

I am following the below procedure but I don't see how I can apply the Cert that I bought.

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

1 ACCEPTED SOLUTION

avatar

Mark,

The certificate you purchased from a certificate authority will identify the NiFi application. Depending on the format it is in (likely a *.key file containing the private key which never left your computer and a *.pem or *.der file containing the corresponding public key, which was then signed via a CSR (Certificate Signing Request) sent to the CA), you will need to build the following files:

  • Keystore
    • This will contain the private key and public key certificate with the issuing CA's public certificate in a chain (as a privateKeyEntry) [see example output below]
  • Truststore
    • This will contain the public key of your client certificate (if using one) in order to authenticate you as a user connecting to the UI/API.

Alternate example using keytool:

  1. You generate a public/private keypair using the Java keytool:

    $ keytool -genkey -alias nifi -keyalg RSA -keysize 2048 -keystore keystore.jks

  2. You then export a certificate signing request which you send to the certificate authority:

    $ keytool -certreq -alias nifi -keyalg RSA -file nifi.csr -keystore keystore.jks

  3. You will get a CSR file nifi.csr which you send to the CA, and they provide a signed public certificate (and the public certificate of the CA) back cert_from_ca.pem:

    $ keytool -import -trustcacerts -alias nifi -file cert_from_ca.pem -keystore keystore.jks

Here is a link to the full steps I ran (I ran my own CA in another terminal to simulate the actions of the external CA) and the resulting output.

View solution in original post

4 REPLIES 4

avatar

Mark,

The certificate you purchased from a certificate authority will identify the NiFi application. Depending on the format it is in (likely a *.key file containing the private key which never left your computer and a *.pem or *.der file containing the corresponding public key, which was then signed via a CSR (Certificate Signing Request) sent to the CA), you will need to build the following files:

  • Keystore
    • This will contain the private key and public key certificate with the issuing CA's public certificate in a chain (as a privateKeyEntry) [see example output below]
  • Truststore
    • This will contain the public key of your client certificate (if using one) in order to authenticate you as a user connecting to the UI/API.

Alternate example using keytool:

  1. You generate a public/private keypair using the Java keytool:

    $ keytool -genkey -alias nifi -keyalg RSA -keysize 2048 -keystore keystore.jks

  2. You then export a certificate signing request which you send to the certificate authority:

    $ keytool -certreq -alias nifi -keyalg RSA -file nifi.csr -keystore keystore.jks

  3. You will get a CSR file nifi.csr which you send to the CA, and they provide a signed public certificate (and the public certificate of the CA) back cert_from_ca.pem:

    $ keytool -import -trustcacerts -alias nifi -file cert_from_ca.pem -keystore keystore.jks

Here is a link to the full steps I ran (I ran my own CA in another terminal to simulate the actions of the external CA) and the resulting output.

avatar
Contributor

@Andy LoPresto

Hi Andy, Thank you so much for your help. I understanding much better about the Certificates and when you to use TLS Generation Toolkit and what to your for prod environment. I am running into user permission issue. Shall I ask on the same thread or shall I create new question? Thanks for the help Andy!

avatar

Mark, I'm glad the answer helped you. You should open a new question for the user permission issue and I will take a look.

avatar
Contributor