Created 04-07-2025 12:07 AM
Hi
We are using DecryptContentPGP(Private key) andEncryptContentPGP(Public key)
to encrypt and decrypt the file at rest, which is working fine.
This same cert is being used by multiple flows.
We are facing an issue when we have to renew this cert. since we need to restart the controller service StandardPGPPublicKeyService.
As this is being used by multiple flows, we need to stop and start all the flows.
Is there a easier way to update cert without restarting StandardPGPPublicKeyService?
Thanks
Created 04-07-2025 05:57 AM
@nifier 
Unfortunately not.  When the StandardPGPPublicKeyService Controller service is enabled, it loads the Keyring into heap memory.  Only stopping will allow you to edit the "Keyring" or allow it to load an updated keyring from the "Keyring File".   Likewise, and component that has been configured to use this StandardPGPPublicKeyService must be stopped whenever the Controller Service is disabled because a dependency exists between the two components and thus the components are no longer "Valid" and able to run when the controllers service is disabled.    Stopping and Starting the Controller Service gives you the option to start all the dependent processors using it at same time.
You could raise an Apache NiFi Jira (https://issues.apache.org/jira/browse/NIFI) for a new feature request around the StandardPGPPublicKeyService Controller Service perhaps asking for ability to update a KeyRingFile while enabled and a specify a re-read interval for reading the KeyRingFile.
Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 04-07-2025 05:57 AM
@nifier 
Unfortunately not.  When the StandardPGPPublicKeyService Controller service is enabled, it loads the Keyring into heap memory.  Only stopping will allow you to edit the "Keyring" or allow it to load an updated keyring from the "Keyring File".   Likewise, and component that has been configured to use this StandardPGPPublicKeyService must be stopped whenever the Controller Service is disabled because a dependency exists between the two components and thus the components are no longer "Valid" and able to run when the controllers service is disabled.    Stopping and Starting the Controller Service gives you the option to start all the dependent processors using it at same time.
You could raise an Apache NiFi Jira (https://issues.apache.org/jira/browse/NIFI) for a new feature request around the StandardPGPPublicKeyService Controller Service perhaps asking for ability to update a KeyRingFile while enabled and a specify a re-read interval for reading the KeyRingFile.
Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 04-07-2025 08:13 AM
Thanks @MattWho for your response.
 
					
				
				
			
		
