0

I have a remote 3 node secure NIFI server to which I want to send some data via MINIFI C++ agent. I am trying to understand the mechanics of generating and signing certificates for MINIFI (client) but I am not able to find detailed documentation.

I see the below configs:

#nifi.security.need.ClientAuth=
#nifi.security.client.certificate=
#nifi.security.client.private.key=
#nifi.security.client.pass.phrase=
#nifi.security.client.ca.certificate=

but how do I generate a client.pem and sign it?

EDIT: This is what I tried to do (self-sign), but this fails with:

[2020-08-14 07:19:08.872] [org::apache::nifi::minifi::utils::HTTPClient] [error] curl_easy_perform() failed SSL connect error

[2020-08-14 07:19:08.872] [org::apache::nifi::minifi::RemoteProcessorGroupPort] [error] ProcessGroup::refreshRemoteSite2SiteInfo -- curl_easy_perform() failed 
cd $HOME
openssl req -new -newkey rsa:4096 -nodes -keyout machine.key -out machine.csr
openssl x509 -req -sha256 -days 365 -in machine.csr -signkey machine.key -out machine.pem

###
Downloaded the public certificate from the server into ---> $HOME/server.crt


nifi.security.need.ClientAuth=true
nifi.security.client.certificate=$HOME/machine.pem
nifi.security.client.private.key=$HOME/machine.key
nifi.security.client.pass.phrase=password
nifi.security.client.ca.certificate=$HOME/server.crt
irrelevantUser
  • 1,172
  • 18
  • 35

1 Answers1

2

There are many ways to generate an X.509 certificate and sign it (openssl, TinyCert, Let's Encrypt, NiFi TLS Toolkit, etc.). The important requirement is that the certificate is either explicitly trusted (the public certificate is imported into the NiFi truststore) or implicitly trusted (any of the public certificates in the signing chain are present in the NiFi truststore).

One approach is to follow the walkthrough for deploying a secure NiFi cluster and use the TLS Toolkit to generate a client keystore, then export the certificate and key from that keystore to PEM format using these commands.

Andy
  • 13,916
  • 1
  • 36
  • 78
  • How do I get the host of NIFI CA? ``` tls-toolkit.sh client -h ------> -c,--certificateAuthorityHostname Hostname of NiFi Certificate Authority (default: localhost) ``` – irrelevantUser Aug 14 '20 at 07:38
  • This is determined by you; set it to whatever you want, but that certificate name will be used to sign any following "leaf" certificates. Either run a single command which generates all the certs, or continue running the individual commands in the same directory and it will reference the same CA cert to sign them. – Andy Aug 18 '20 at 23:54