Member since
06-10-2024
3
Posts
2
Kudos Received
0
Solutions
06-13-2024
06:00 AM
1 Kudo
@tcherian NiFi certificates must meet the following criteria: 1. No wildcards used in the subject DistinquishedName (DN) 2. Included both clientAuth and serverAuth in the ExtendedKeyUsage (EKU) 3. Contains one or more SubjectAlternativeName (SAN) entries. 4. Keystore can only contain 1 PrivateKey entry There are many resources on the web for generating your own self-signed certificates and adding them to a PKCS12 or JKS keystore. The "Keystore" and "truststore" are both just keystores. The NiFi "Keystore" contain the PrivateKey entry which Is used by NiFi to identify itself as the server (serverAuth) when connecting to it and as the client (clientAuth) when connecting outward as a client (such as talking to other NiFi's, NiFi-Registry, etc). The NiFi "truststore" contains one too many TrustedCert entries. It is common to use the default Java cacerts file (which is just a jks keystore) and add additional TrustedCert entries to it. The trustedCerts are the public certs that correspond to the PrivateKey that you should never share. The Trusted certs are the signers of the private keys. There are intermediate and root trusted cert keys. An intermediate trust is one where the owner and signer are not the same DN. A root trust is one where the owner and signer are the same DN. So you might create a PrivateKey that is signed by intermediate Certificate Authority (CA) and that intermediate CA would be signed by another intermediate CA or a root (CA). The chain of signers between intermediate and root is known as the trustchain. The Truststore needs to contain complete trust chains for your PrivateKey. There are even free services out there like Tinycert, but you can also use openssl and keystool to generate self-signed certificates and import them to a keystore. Just google how to create a certificate and how to import certificate into a keystore. Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more