@Srini K Based on above comment, it looks like you merged the public key for your private key entries which is not what you shodul have done. - The new truststore you are trying to generate should contain 2 entries Your keystore contains 2 entry Alias name: nifi-cert1 Creation date: May 17, 2018 Entry type: trustedCertEntry Owner: CN=hdfnifidev04.medassurant.local, OU=NIFI Issuer: CN=hdfnifidev04.medassurant.local, OU=NIFI Serial number: 16350a94aa200000000 Valid from: Fri May 11 15:24:22 EDT 2018 until: Mon May 10 15:24:22 EDT 2021 Certificate fingerprints: MD5: A9:BA:53:66:C3:E0:71:EA:94:F0:E2:70:40:F7:B1:58 SHA1: 3C:48:FA:D4:13:C9:CB:6C:D0:74:08:89:32:9B:A3:B9:86:87:0E:49 SHA256: B0:24:27:C3:CA:BB:5F:E7:F7:10:45:62:0E:FC:02:2E:11:08:E8:EA:AA:EB:97:89:B3:63:D9:BF:E7:64:A2:5F Signature algorithm name: SHA256withRSA Version: 3 ..... Alias name: nifi-cert2 Creation date: May 17, 2018 Entry type: trustedCertEntry Owner: CN=rsdevhdf3.medassurant.local, OU=NIFI Issuer: CN=rsdevhdf3.medassurant.local, OU=NIFI Serial number: 162c0b11dfb00000000 Valid from: Fri Apr 13 16:27:35 EDT 2018 until: Mon Apr 12 16:27:35 EDT 2021 Certificate fingerprints: MD5: 0B:E6:9B:74:F3:44:97:93:C6:B6:F7:C2:8D:C4:43:14 SHA1: E0:3F:B4:96:9A:4C:2B:94:AF:85:0D:DA:70:B5:40:B0:AD:B3:9D:4A SHA256: D1:B0:3B:CE:F1:2F:DA:C0:53:49:B9:21:A4:A2:A0:B8:7D:75:78:A1:8C:9E:3A:2B:D0:92:7B:05:66:FE:9E:EF Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 ...... This new truststore.jks file would need to be copied to both NiFi instance. It would replace the existing truststore.jks being used by those clusters. - Guessing you have used Ambari to install these NiFi instances? **** DO NOT check the box for "NiFi CA Force Regenerate?" <--- Doing so will trigger Ambari to archive the existing keystore.jks and truststore,jks files an run the toolkit to regenerate all new of both. - Note: The NiFi CA (nifi TLS toolkit) was never designed to be used in a production environment. It was designed to facilitate an easy way for users to quickly standup a secured NiFi for testing purposes. - Yes, a NiFi restart will be needed so that NiFi reads the new truststore.jks file you dropped on each NiFi instance. - You do not need to do anything with the keystore.jks files being used by each of your NiFi instances. - Thank you, Matt ... View more

@Srini K *** Forum tip: try to avoid responding to an existing answer by starting a new answer. Response may end up being in no specific logical order and become hard to follow. Instead respond to an existing answer by clicking "Add comment" on an existing answer. - Looking at your provide keystore and truststore verbose output, TLS/SSL 2-way authentication is going to fail here. Each of your NiFi server's certificate were signed by different Certificate Authorities (CA). So NiFi-2 cannot trust the client cert being presented from NiFi-1 and NiFi-1 cannot trust the cert being presented from NiFi-2. - You will need to create a new truststore that contain both "trustedCertEntries" (So basically merging both your truststores together). Then configure both NiFi instance to use that new truststore. - Thank you, Matt ... View more

@Andrew Riffle If this is just a standalone NiFi installation, change the following property in the nifi.properties file to false: nifi.cluster.is.node=false Then restart your NiFi instance. - Thanks, Matt ... View more

@Takefumi OIDE Additional performance and best practice recommendations: https://community.hortonworks.com/articles/184990/dissecting-the-nifi-connection-heap-usage-and-perf.html https://community.hortonworks.com/articles/184786/hdfnifi-improving-the-performance-of-your-ui.html https://community.hortonworks.com/content/kbentry/109629/how-to-achieve-better-load-balancing-using-nifis-s.html - And just for knowledge relevant to NiFi Content handling: https://community.hortonworks.com/articles/82308/understanding-how-nifis-content-repository-archivi.html ... View more