Thanks. I got it. The key was to get the correct key in the keystore. I just imported the PKCS12 file into the keystore and all is well.
Sent from my iPhone > On Oct 20, 2017, at 9:23 AM, Aldrin Piri <[email protected]> wrote: > > I am a far cry from a cert pro, but it looks like the results are what I > would anticipate given your reuse of nifi_server.key.pem in your JKS. I > don't think you are far away from your intended setup and should be able to > create another "user" cert for your minifi instance(s), as you had for your > User Cert, that would uniquely identify it/them. > > Additionally, if you are just doing self signed certificates, you could > additionally consider the NiFi TLS Toolkit > (http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit) > which can help facilitate this process as well. > >> On Thu, Oct 19, 2017 at 6:00 PM, Michael Nacey <[email protected]> wrote: >> Hi, >> >> We have been working on security our nifi/minifi setup, and we have been >> marginally successful, but there are a few things I can't seem to figure >> out. For our setup we have: >> >> CA: created in openssl, intermediate issuer created as well; chain cert >> created >> NIFI Cert: issued by the intermediate >> User Cert: issued by the intermediate (CN=admin) >> >> NIFI >> ======= >> Keystore: nifi_server.key.pem >> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem >> >> With this setup, secure cert based browser connection to NIFI works like a >> champ using the "admin" identity. I can create an S2S connection to my own >> NIFI, and I notice it uses the 'nifi_server' identity to authenticate. >> >> MINIFI >> ======== >> Keystore: nifi_server.key.pem >> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem >> >> With this setup, MINIFI will connect securely to NIFI, again using the >> 'nifi_server' identity. This is not really desirable, since I would want >> MINIFI to connect using the "admin" identity (or in real life, one specific >> to that instance of MINIFI). >> >> Any ideas how to accomplish this? Am I doing something wrong? I'm kind of >> new to the Java keystore stuff. >> >> Thanks >> >> -- >> “Try to never run out of smokes, ammo, and luck all at the same time. But >> remember, if you have ammo, you can always get more smokes, and make your >> own luck." G.K. Shirpa >
