Hi @MattWho , Sorry for the delayed response as I was off work for last few days. Thanks for sharing the keytool command to check all the details you had asked to check in your first response. Below are the findings after running the command for the configured keystore and truststore in NiFi: For NiFi's keystore (configured in nifi.properties file), make sure the following are correct: 1. keystore contains 1 and only 1 PrivateKeyEntry --> That's true. 2. Make sure the PrivateKeyEntry ExtendedKeyUsage (EKU) contains clientAuth and serverAuth --> That's true 3. Make sure that the PrivateKeyEntry contains a SAN entry that matches the hostname of the host where NiFi is running. --> That's true. For the user certificate loaded in the browser being used to authenticate with this NiFi: 1. verify certificate issuer. Is it an intermediate CA or the root CA? --> We have one IssuingCA and another root CA. We had combined them to form one certificate and then follow steps in the NiFi documentation. 2. Verify the NiFi's truststore.jks (configured in nifi.properties file) contains a TrustedCertEntry for the complete trust chain that goes with your certificate and the certificate found in the keystore.jks. A complete trust chain means that the truststore has the public keys for the issuer of each of the above certificates and if that issuer is and intermediate CA, you also have the public certificate for the CA that signed that intermediate CA in the truststore. You'll know when you have reached the root CA when the TrustedCertEntry has the same DN for both owner and issuer. --> NiFi's Truststore contains a TrustedCertEntry and the TrustedCertEntry has the same DN for both owner and issuer. I cleared browser cache and site cookies but still same issue. I even tried "thisisunsafe" trick in chrome, but it's reloading the page with same issue. Thanks, Sandip
... View more
