The client has only the keys of the RootCA and Intermediate CA. Trust store has an externally signed certificate (public Root CA) The nifi server currently has an externally signed certificate and private key (to the best of my abilities, that is the case) They have authorized me one certificate for my server. My company has a public Root CA and an Intermediate CA. Thank you for helping to add some identifiers to that. If I misunderstood your scenario or you've already tried this, please let me know. Please report back with the output of those steps and any additional information that may arise from what I've described. Use the openssl s_client command to attempt a connection using the certificates and key: $ openssl s_client -connect -debug -state -cert client.pem -key client.key -CAfile.If the r file does not contain that string, re-encode it as PEM: openssl x509 -inform der -in r -out client.pem.If the r file contains "-BEGIN PRIVATE KEY-", remove the private key block, and rename the file client.pem.Export the private certificate from the PKCS12 keystore: openssl pkcs12 -in client.p12 -nodes -nocerts -out client.key -password "pass:".Export the public certificate from the PKCS12 keystore: openssl pkcs12 -in client.p12 -out r -nodes -password "pass:".Convert the client keystore to individual PEM-encoded files (if not already):.You can verify that the TLS handshake negotiation works by following these steps:.A SAN must be present in the server certificate for modern browsers to verify the identity of the server (see RFC 6125).However, any version of NiFi can use externally-signed certificates, and in current Apache NiFi master, the toolkit can even accept externally-signed certificates in place of its own self-signed CA certificate to allow for chained trust. The TLS Toolkit is provided as a convenience tool for users who do not have a dedicated security/IT team or feel comfortable generating their own CA and certificates manually, and the toolkit does generate self-signed certs. NiFi does not need to use self-signed certificates at all.If your client certificates are still signed by the old, self-signed NiFi certificate, and NiFi's truststore no longer contains that certificate, the client certs will be rejected. The server truststore (nifi_trust.jks) must contain the exact certificate (or one in the chain that signed it) presented by the client.If you can copy the exact error message you get from NiFi's UI when browsing with the client certificate, that will be helpful.Keystore (or PEM files) containing public certificate & private key of client - client.p12.Truststore containing externally-signed certificate (nifi.pem) (and/or certificate of Root CA) - nifi_trust.jks.Keystore containing externally-signed certificate (nifi.pem) & private key - nifi.jks.Public certificate identifying the NiFi service signed by Root CA (and/or Intermediate CA) - nifi.pem.Issuing Authority (your company's intermediate CA?) - Intermediate CA.Root CA (your company's root certificate authority) - Root CA.Let's assign some identifiers so we're talking about the same components: I've spent too many hours trying to fix this and I'm at my wits end here. Is the problem that I don't have a SAN in the cert? the FQDN is there already. I've created the keystore and truststore about 100 times in multiple different configurations. I can't seem to find a way to utilize a non-self signed certificate. The browser has a certificate installed from the issuing agency and root CA and this works with other websites in the domain.Įvery example I seem to see around is stating that a self-signed certificate must be used for nifi when using ssl. When browsing to the site with the updated truststore and keystore jks files, it gives me an error that the client provided a bad cert. I then created a truststore that contains the trusted certs for my root authority and issuer. I created a keystore and imported my assigned certificate with private key. I'm trying to utilize a certificate signed by my root authority and issuing agency from my company. The self-signed cert works fine and I can put a client certificate at each browser to allow access. } catch ( have a server (windows 2012) running nifi. ("alias name: " + alias) Ĭertificate certificate = keystore.getCertificate(alias) String alias = enumeration.nextElement() Keystore.load(is, password.toCharArray()) Įnumeration enumeration = keystore.aliases() KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()) InputStream is = new FileInputStream(file)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |