Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NIFI SSL , how to use registered certificates (not self-signed)

avatar
Contributor

Hello,

I used the link for securing NIFI https://community.hortonworks.com/articles/58233/using-the-tls-toolkit-to-simplify-security.html and it works fine for POC.

In the above link I used tls-toolkit and it generates

CN=team_OU=NIFI.p12

CN=team_OU=NIFI.password nifi-cert.pem

nifi-key.key

keystore.jks

nifi.properties

truststore.jks

Next step , for production environment our IT registered domain name and generates <domain_name>.crt and <domain_name>.key

Question: how to switch NIFI use these files / certificates ( <domain_name>.crt and <domain_name>.key) ?

Thanks

Oleg.

6 REPLIES 6

avatar
Explorer

Is there a solution for this?

avatar

I'd love a solution for this as well.

avatar

NiFi cannot be configured to use a PEM encoded certificate file ( *.crt) and key file (*.key) directly. These files must be converted into Java Keystore (*.jks) files (or PKCS12 (*.p12) keystores, but JKS is preferred).

  1. Convert the certificate from PEM to PKCS12 using openssl
    1. openssl pkcs12 -export -out keystore.p12 -in mydomain.crt
    2. Provide a strong password when prompted
  2. Create a JKS truststore file and then delete the temporary alias
    1. keytool -genkey -keyalg RSA -alias temp -keystore truststore.jks
    2. keytool -delete -alias temp -keystore truststore.jks
    3. You can populate the temporary key with any values, or leave each field empty
  3. Import the IT CA public key certificate into the truststore
    1. You don't mention receiving a separate file containing it, so it may be included in the mydomain.crt file or accessible by contacting your IT department or running other commands. See section below
    2. keytool -import -v -trustcacerts -alias domain_ca -file domainCA.pem -keystore truststore.jks
    3. When prompted to trust this certificate, type "yes"
  4. Create a JKS keystore file and then delete the temporary alias
    1. keytool -genkey -keyalg RSA -alias temp -keystore keystore.jks
    2. keytool -delete -alias temp -keystore keystore.jks
    3. You can populate the temporary key with any values, or leave each field empty
  5. Import the private key into the keystore
    1. keytool -v -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

You now have a keystore.jks and truststore.jks file to use with NiFi. In nifi.properties, provide the paths to these files in nifi.security.keystore and nifi.security.truststore respectively, provide "JKS" as the value for nifi.security.keystoreType and nifi.security.truststoreType, and the respective password for each in nifi.security.keystorePasswd and nifi.security.truststorePasswd.

Obtaining the CA certificate

There are multiple ways to obtain the CA certificate containing the public key.

  1. The mydomain.crt file contains a complete certificate chain
    1. You can determine if this is the case by viewing the encoded contents of the file using a text editor, more, cat, etc. If there are multiple -----BEGIN CERTIFICATE----- lines in the file, there are multiple certificates stored in it
    2. If this is the case, you can use the command below to view the chain in parsed form, and find the certificate whose "Subject: " looks like C=US, ST=CA, L=Santa Monica, O=Unknown, OU=Your IT Organization, CN=mydomain.com CA. The order in the output matches the order of the blocks in the mydomain.crt file, but usually it will be the last block
      1. openssl crl2pkcs7 -nocrl -certfile mydomain.crt | openssl pkcs7 -print_certs -text -noout
    3. Copy the encoded block representing the CA certificate into a new file called domainCA.pem. From here, return to Step 3.2 above
  2. You can request the CA certificate from your IT department
    1. If this is the case, they will likely provide it in PEM format, with either a domainCA.pem or domainCA.crt extension. From here, return to Step 3.2 above
  3. You can obtain the CA certificate by connecting to the CA hostname and downloading the presented certificate
    1. Determine the hostname of the CA. If it is not available via the network because it is kept offline (the most secure practice), you'll have to connect to an intermediate CA (this can be determined from the certificate chain)
    2. For example, we will pretend mydomain.crt was signed by Let's Encrypt, a free commercial certificate authority. This will take the place of your (similar) ca.domain.com CA
    3. Use the following command to connect to the CA and view its certificates. You'll copy and paste the output that shows a PEM certificate to a file called domainCA.pem
      1. echo 'Q' | openssl s_client -connect letsencrypt.org:443 -showcerts
      2. In the output, you'll see a section titled "Certificate chain" followed by a zero-indexed list of certificates. Each consists of three pieces:
        1. The first line is the index and subject of the certificate. This is "who the certificate is"
          1. 0 s:/CN=www.letsencrypt.org
        2. The second line is the issuer of the certificate. This is "who says this certificate is who it claims"
          1. i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
        3. The remaining lines are the PEM encoded certificate block. When you reach the last certificate in the list, this is the section to copy to domainCA.pem
          1. -----BEGIN CERTIFICATE-----
            MIIH5jCCBs6gAwIBAgISA2gSCm/BtvCR2e2bIap5YbXaMA0GCSqGSIb3DQEBCwUA
            ...
            l1Ou20Dm9TxnNw==
            -----END CERTIFICATE-----
            					

avatar

HI ,

 

Can you please let me know how to create client cert for authentication when CA cert is applied on Nifi Server end.

avatar
New Contributor

Hi,

 

I used keystore explorer (https://keystore-explorer.org/downloads.html) to generate a client certificate from the server certificate. The server's intermediate CA public cert has to be in the truststore as well as the server certificate.

 

As for the user cert I sign it with the server cert, export as user.p12 and export the user cert. The trick is the extentions you have to add on the user cert. You can use this template with keystore explorer: https://drive.google.com/open?id=1k_BVTtNb8EcrKHDgOvnVMx-GevYZgQqF 

 

The main thing is the basic constraints extention should be Subject is not a CA and the extended key usage should be for server and client auth

avatar
New Contributor
  1. Convert the certificate from PEM to PKCS12 using openssl
    1. openssl pkcs12 -export -out keystore.p12 -in mydomain.crt
    2. Provide a strong password when prompted

I don't know if it's a version issue but I only got the first instruction working adding the " -inkey mydomain.key"

 

openssl pkcs12 -export -inkey mydomain.key -in mydomain.crt -out keystore.p12

 

The rest of the article is great. Thanks for the explanation