Securing minifi c++ agent against remote NIFI

Question

I have a remote 3 node secure NIFI server to which I want to send some data via MINIFI C++ agent. I am trying to understand the mechanics of generating and signing certificates for MINIFI (client) but I am not able to find detailed documentation.

I see the below configs:

#nifi.security.need.ClientAuth=
#nifi.security.client.certificate=
#nifi.security.client.private.key=
#nifi.security.client.pass.phrase=
#nifi.security.client.ca.certificate=

but how do I generate a client.pem and sign it?

EDIT: This is what I tried to do (self-sign), but this fails with:

[2020-08-14 07:19:08.872] [org::apache::nifi::minifi::utils::HTTPClient] [error] curl_easy_perform() failed SSL connect error

[2020-08-14 07:19:08.872] [org::apache::nifi::minifi::RemoteProcessorGroupPort] [error] ProcessGroup::refreshRemoteSite2SiteInfo -- curl_easy_perform() failed 

cd $HOME
openssl req -new -newkey rsa:4096 -nodes -keyout machine.key -out machine.csr
openssl x509 -req -sha256 -days 365 -in machine.csr -signkey machine.key -out machine.pem

###
Downloaded the public certificate from the server into ---> $HOME/server.crt


nifi.security.need.ClientAuth=true
nifi.security.client.certificate=$HOME/machine.pem
nifi.security.client.private.key=$HOME/machine.key
nifi.security.client.pass.phrase=password
nifi.security.client.ca.certificate=$HOME/server.crt

Answer 1

There are many ways to generate an X.509 certificate and sign it (openssl, TinyCert, Let's Encrypt, NiFi TLS Toolkit, etc.). The important requirement is that the certificate is either explicitly trusted (the public certificate is imported into the NiFi truststore) or implicitly trusted (any of the public certificates in the signing chain are present in the NiFi truststore).

One approach is to follow the walkthrough for deploying a secure NiFi cluster and use the TLS Toolkit to generate a client keystore, then export the certificate and key from that keystore to PEM format using these commands.