[
https://issues.apache.org/jira/browse/MINIFICPP-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marton Szasz resolved MINIFICPP-1422.
-------------------------------------
Resolution: Fixed
> MiNiFi should be able to get certs from the Openssl truststore on Linux
> -----------------------------------------------------------------------
>
> Key: MINIFICPP-1422
> URL: https://issues.apache.org/jira/browse/MINIFICPP-1422
> Project: Apache NiFi MiNiFi C++
> Issue Type: New Feature
> Reporter: Ferenc Gerlits
> Priority: Minor
>
> Minifi is able to read the server and client certificates necessary to
> connect to the C2 server from the Windows truststore (MINIFICPP-1401), but
> this does not work on Linux.
> On Linux, the natural way would be to use Openssl's own truststore.
> The server certificate works, to some degree: if {{server-cert.pem}} is the
> server certificate, then you can install it like this:
> {noformat}
> $ cd ${OPENSSL_CACERT_DIR}
> $ cp /path/to/server-cert.pem ./
> $ CERTIFICATE_HASH=`openssl x509 -noout -hash -in server-cert.pem`
> $ ln -s server-cert.pem ${CERTIFICATE_HASH}.0
> $ chmod 755 ${OPENSSL_CACERT_DIR}
> $ chmod 600 ${OPENSSL_CACERT_DIR}/server-cert.pem{noformat}
> After this, if you unset {{nifi.security.client.ca.certificate}} and set
> {{nifi.security.use.system.cert.store=true}}, then Minifi will read the
> server certificate from {{OPENSSL_CACERT_DIR}}.
> But the default {{OPENSSL_CACERT_DIR}} depends on where Minifi was compiled,
> eg. it could be
> {{/home/myuser/src/minifi/build/thirdparty/libressl-install/etc/ssl/certs}},
> which is not nice. The default location should be changed to something more
> sensible, and there needs to be a way to override it.
> I don't know how to add the client certificate + key to the Openssl
> truststore, so that will need to be investigated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
