I am a far cry from a cert pro, but it looks like the results are what I would anticipate given your reuse of nifi_server.key.pem in your JKS. I don't think you are far away from your intended setup and should be able to create another "user" cert for your minifi instance(s), as you had for your User Cert, that would uniquely identify it/them.
Additionally, if you are just doing self signed certificates, you could additionally consider the NiFi TLS Toolkit (http://nifi.apache.org/docs/ nifi-docs/html/administration-guide.html#tls-generation-toolkit) which can help facilitate this process as well. On Thu, Oct 19, 2017 at 6:00 PM, Michael Nacey <[email protected]> wrote: > Hi, > > We have been working on security our nifi/minifi setup, and we have been > marginally successful, but there are a few things I can't seem to figure > out. For our setup we have: > > CA: created in openssl, intermediate issuer created as well; chain cert > created > NIFI Cert: issued by the intermediate > User Cert: issued by the intermediate (CN=admin) > > NIFI > ======= > Keystore: nifi_server.key.pem > Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem > > With this setup, secure cert based browser connection to NIFI works like a > champ using the "admin" identity. I can create an S2S connection to my own > NIFI, and I notice it uses the 'nifi_server' identity to authenticate. > > MINIFI > ======== > Keystore: nifi_server.key.pem > Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem > > With this setup, MINIFI will connect securely to NIFI, again using the > 'nifi_server' identity. This is not really desirable, since I would want > MINIFI to connect using the "admin" identity (or in real life, one specific > to that instance of MINIFI). > > Any ideas how to accomplish this? Am I doing something wrong? I'm kind of > new to the Java keystore stuff. > > Thanks > > -- > “Try to never run out of smokes, ammo, and luck all at the same time. But > remember, if you have ammo, you can always get more smokes, and make your > own luck." G.K. Shirpa >
