Created on 09-21-2017 02:12 PM - edited 08-17-2019 11:04 PM
Hi, im trying to secure my nifi installation with ssl certificates. Initially i used the tls toolkit for testing purposes, things were working fine. However, when i switched to the CA SSL certs provided my infra team, im having issues.
Some of the issues i observed
1. Chrome doesnt prompt to choose certificate that i have installed (CA cert). If i use the SSL cert generated by tls toolkit, it prompts just fine.
2. I see some differences in EKU and KU sections of both the certs, see attached screenshot.
3. Certificate length is 2 for the one i generated via tls toolkit, but length is 1 for the CA one.
I have tried everything, and not able to fix this issue.
Hope someone can point me to the right direction.
Created 09-25-2017 01:50 PM
Want to get a detailed solution you have to login/registered on the community
Register/LoginCreated 09-21-2017 05:00 PM
The "Keystore" you are using that you are using that was derived form your CA should contain only a single "PrivateKeyEntry". That "PrivateKeyEntry" should have a EKU that authorizes it use for both clientAuth and ServerAuth. (Based on above, EKU looks correct.) The Issuer listed of that PrivateKeyEntry should be the DN for your CA. If the Issuer is the same as the owner, it is a self signed cert. This typically means you did not install the response you got back from your CA. You should have provided your CA with a csr (certificate signing request) which you then received a response for.
The "truststore" should not contain any PrivateKeyEntries. It should contain 1 to many "TrustedCertEntries". There should be a trustedCertEntry for every CA that signs any certificates being used anywhere to communicate with this NiFi. TrustedCertEntries are nothing more teh public keys.
Thanks,
Matt
Created 09-25-2017 11:36 AM
Can you post teh entire verbose output of both your Keystore and Truststore?
Created on 09-25-2017 10:32 AM - edited 08-17-2019 11:04 PM
Hi Matt,
Thanks for taking the time to answer. I checked the keystore and trustedstore based on what you provided. I can see exactly what you suggest, 1 privatekeyentry in keystore and 1 trustedcertentries in trustedstore.
I have also turned on the debugging and this is what i see in nifi-bootstrap.log
nifi-bootstrap.log
Appreciate your help on this matter. Thanks!
Created 09-25-2017 01:50 PM
Want to get a detailed solution you have to login/registered on the community
Register/LoginCreated 09-27-2017 08:23 AM
@D H
Thank you very much for your help. It works now! Followed all your steps.
Created 09-27-2017 12:53 PM
Glad to hear it :). Enjoy your secure NiFi instance.