@Max Musti Couple things about your certificates: The certificates must include 1 or more SubjectAlternativeNames (SAN) for security reasons. Since you are using a wildcard in the DN for the certificate owner, You should have a unique SAN entry for each server hostname that is using this certificate. You also must make sure that the certificates support being used for both "clientAuth' and 'serverAuth'. You often can see this called out in the verbose key output from keytool in the ExtendedKeyUsage section. *** NiFi can act as both a client (such as when using Remote Process Groups or talking to NiFi-registry) and a server. - Alternatively and recommended, you could create a separate certificate for each of your servers (these will still require a SAN entry). - When it comes to NiFi talking to registry, the following must be successful: 1. A successful 2-way TLS handshake between NiFi and NIFi-registry. I think this may be were you are having an issue. Specifically with your NiFi server(s) presenting a client cert to the NiFi-registry. (This is where the "clientAuth" extendedKeyUsage comes in to the picture) 2.The client server(s) must all be authorized for both "Read" on "Can Manage buckets" and "Can proxy user requests". - Hope this helps you get your issues resolved. - Thank you, Matt -
... View more
