Example NiFi SSL Configuration

This page demonstrates how to generate your own custom certificate authority (CA), and create a NiFi server certificate that is signed by that CA.

Create a Custom Certificate Authority

If you are deploying a NiFi instance for testing purposes, you might use self-signed certificates.

To create your own certificate authority (CA)

  1. Generate a private key for the custom CA.

    openssl genpkey -algorithm RSA -out ca.key
  2. Generate a certificate signing request.

    openssl req -new -key ca.key -out ca.csr
  3. Generate the (self-signed) CA certificate.

    openssl x509 -req -days 365 -in ca.csr -key ca.key -out cacert.crt

    You now have the private key (ca.key) and CA certificate (cacert.crt) in PEM format.

Create a Server Certificate for a NiFi Node

The following steps demonstrate how to generate a keystore for a NiFi node.

  1. On the NiFi server, generate a private key for this node.

    openssl genpkey -algorithm RSA -out private.key
  2. Generate a certificate signing request.

    openssl req -new -key private.key -out request.csr

    NOTE: When you provide the details for the CSR, you will be asked for a common name (CN). Ensure that you enter the fully-qualified domain name of the server (for example nifi3.example.com).

  3. On the machine where you created your custom certificate authority, use the CSR and generate the certificate.

    openssl x509 -req -days 365 -in request.csr -CA cacert.crt -CAkey ca.key -out nifi-server.crt

    In this command:

    • request.csr is the certificate signing request (CSR) from the NiFi node.
    • cacert.crt is the certificate of your custom CA.
    • ca.key is the private key of your custom CA.
    • nifi-server.crt is the SSL certificate that is generated for the NiFi node. This certificate is signed by your custom CA, so will be trusted providing that the CA is trusted.

    These files are all in PEM format.

  4. Return to the NiFi server and combine the node's private key and certificate together as a PKCS #12 keystore:

    openssl pkcs12 -export -inkey private.key -in nifi-server.crt -out nifi-keystore.p12
  5. You now have everything you need to configure SSL for the NiFi node. Copy nifi-keystore.p12 and the CA certificate (cacert.crt) to a suitable location and configure the relevant settings in nifi.properties.

    nifi.security.keystore=./conf/nifi-keystore.p12
    nifi.security.keystore.certificate=
    nifi.security.keystore.privateKey=
    nifi.security.keystoreType=PKCS12
    nifi.security.keystorePasswd=changeit
    nifi.security.keyPasswd=
    nifi.security.truststore=
    nifi.security.truststore.certificate=./conf/cacert.crt
    nifi.security.truststoreType=PEM
    nifi.security.truststorePasswd=