Chris Sampson created NIFI-10929: ------------------------------------ Summary: NiFi generated certificates (e.g. Single User, or nifi-toolkit) are not compatible with OpenSSL 3.x+ Key: NIFI-10929 URL: https://issues.apache.org/jira/browse/NIFI-10929 Project: Apache NiFi Issue Type: Bug Affects Versions: 1.19.0 Reporter: Chris Sampson
The certificates (keystore, truststore) generated by NiFi are not compatible with OpenSSL 3+ because they are created using old/insecure algorithms. When starting NiFi 1.19.0 (using the {{apache/nifi}} Docker image) and confguring a single-user auth, which is the default for NiFi, the generated {{truststore.p12}} and {{keystore.p12}} cannot be decrypted (e.g. to extract the public cert/private key into PEM format files so they can be used with {{curl}}) using the OpenSSL version present within the Docker Image. {quote} OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) {quote} Attempted command: {code:bash} openssl pkcs12 -in "truststore.p12" -out "nifi-cert.pem" -cacerts -nokeys -password "pass:${TRUSTSTORE_PASSWORD}" {code} Error: {quote} 4047C0AF997F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () {quote} This can be worked around by adding the {{-legacy}} flag to the {{openssl}} command (see [this Stack Overflow answer|https://stackoverflow.com/a/72600724]). Using the command suggested from teh linked article, we see that the NiFi generated truststure uses: {quote} PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200 {quote} -- This message was sent by Atlassian Jira (v8.20.10#820010)