@pavanshettyg5 
The TLS implementation for NiFi requires proper configuration of both keystore and truststore your organization's signed certificate with SAN entries to enable secure HTTPS access. Based on your description, you've received a signed certificate (nifi.crt) but are experiencing issues with the complete TLS setup.
 Required Certificates & Files

• Certificate Authority (CA) Certificate: The root certificate from your signing authority
• Truststore: Contains the Certificate Authority (CA) root/intermediate certificates that signed your NiFi certificate (for mutual TLS or cluster communication).
• Signed Certificate (nifi.crt): Your domain certificate with the SAN entries
• Private Key: The private key used to generate the CSR

1. Prepare Certificate Files

Ensure you have:

• The signed certificate (nifi.crt)
• Your private key
• The CA certificate (request from your CA if not available)

Problem 1: Missing Private Key or Certificate Chain

• If you only have nifi.crt, you must also have:

  • The private key (e.g. nifi.key) generated during the CSR process.

  • The CA root/intermediate certificates (if your organization uses a private CA).

Problem 2: Improper Keystore/Truststore Format

• NiFi uses Java KeyStores (JKS or PKCS12). Ensure your keystore/truststore is in the correct format.

• If your organization uses OpenSSL-based tools, convert the PEM files (nifi.crt + nifi.key + CA chain) into a PKCS12/JKS keystore.

Problem 3: SAN Entries Not Recognized

• Verify the SAN entries in your certificate match the NiFi node hostnames (e.g. nifinode1.x.x.net).

• Use openssl x509 -in nifi.crt -text -noout to check SANs.

3. Step-by-Step Solution

A. Prepare the Keystore

1. Combine Certificate and Private Key:

   • If you have nifi.crt and nifi.key, create a PKCS12 keystore:

1. • Use a password (e.g., keystorePassword).

2. Convert to JKS (if required) Java Keystore from PKCS12

B. Prepare the Truststore

1. Import CA Certificates:

   • If your organization uses a private CA, add its root/intermediate certificates to the truststore

C. Configure NiFi

1. Update nifi.properties

   Spoiler

   # HTTPS Settings
   nifi.web.https.host=0.0.0.0
   nifi.web.https.port=9443
   nifi.web.https.network.interface.default=

   # Security Properties #
   nifi.security.keystore=/path/to/keystore.jks nifi.security.keystoreType=JKS nifi.security.keystorePasswd=keystorepassword nifi.security.keyPasswd=keystorepassword nifi.security.truststore=/path/to/truststore.jks nifi.security.truststoreType=JKS nifi.security.truststorePasswd=truststorepassword

   # Truststore (required for cluster nodes/ZooKeeper)
   nifi.security.truststore=./nifi-truststore.jks
   nifi.security.truststoreType=JKS
   nifi.security.truststorePasswd=truststorePassword

   # Enable TLS for cluster nodes
   nifi.cluster.protocol.is.secure=true
   nifi.web.http.port=
   nifi.web.https.port=9443
   nifi.zookeeper.connect.string=zookeepernode1.x.x.net:2181,zookeepernode2.x.x.net:2181,zookeepernode3.x.x.net:2181
   nifi.zookeeper.client.secure=true

2. Updateauthorizers.xml (for mutual TLS): Configure for Cluster Communication

Configure authorizers.xml and nifi-registry.properties for secure cluster communication using the same certificates.

D. Validate the Setup
After configuration

1. Test Keystore/Truststore:

Troubleshooting Common Issues

1. Certificate Chain Issues: Ensure your keystore includes the full certificate chain
   Spoiler

   # Concatenate certificates if needed
   cat nifi.crt intermediate.crt root.crt > fullchain.crt
2. SAN Validation: Verify certificate has correct SAN entries
    

   Spoiler

   openssl x509 -in nifi.crt -text -noout | grep -A1 "Subject Alternative Name"
3. Java Compatibility: Ensure Java version compatibility with TLS
    

   Spoiler

   # Add to bootstrap.conf if using older Java versions java.arg.16=-Dhttps.protocols=TLSv1.2
4. Cluster Communication: Set proper node identities for cluster
    

   Spoiler

   # In nifi.properties
   nifi.cluster.node.address=nifinode1.x.x.net
   nifi.cluster.node.protocol.port=11443
   nifi.remote.input.secure=true
5. ZooKeeper Security: Only if using secure ZooKeeper connections
    

   Spoiler

   # In zookeeper.properties
   secureClientPort=2281 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location=/path/to/keystore.jks ssl.keyStore.password=keystorepassword ssl.trustStore.location=/path/to/truststore.jks ssl.trustStore.password=truststorepassword

1. Verify HTTPS Access:

   • Access https://nifi-dev.x.x.net:9443/nifi in a browser.

   • Use curl -vk https://nifi-dev.x.x.net:9443/nifi to debug TLS handshake errors.

       2. Troubleshooting

• "SSL Peer Unauthenticated":

  • Ensure the truststore contains the CA certificate that signed the NiFi certificate.

• "Certificate Doesn't Match Hostname":

  • Verify SAN entries in nifi.crt include all NiFi node hostnames.

• Keystore Password Mismatch:

  • Ensure nifi.security.keystorePasswd and nifi.security.keyPasswd match in nifi.properties.

Additional Recommendations

1. Use strong, unique passwords for keystores and truststores
2. Implement proper certificate rotation procedures
3. Consider automating certificate management with tools like cert-manager
4. Implement client certificate authentication for additional security
5. Ensure proper DNS resolution for all SAN entries

By following the above steps, you’ll enable HTTPS for NiFi with proper SAN support and resolve keystore/truststore issues

Happy hadooping