Skip to content

Instantly share code, notes, and snippets.

@alopresto
Created November 23, 2016 03:23
Show Gist options
  • Save alopresto/e2047df651c503b7caa2173a88747e73 to your computer and use it in GitHub Desktop.
Save alopresto/e2047df651c503b7caa2173a88747e73 to your computer and use it in GitHub Desktop.
Commonly used certificate and keystore commands for verifying Apache NiFi API/UI TLS MA connections.

Certificate and key commands

1. Verify connection:

$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>

2. Export client cert from PKCS12 keystore to PEM:

$ openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -out client.der -nodes
$ openssl x509 -inform der -in client.der -out client.pem

3. Export client private key from PKCS12 keystore to PEM:

$ openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -nodes -nocerts -out client.key

4. Export server cert from JKS keystore to PEM:

$ keytool -export -alias <your_alias> -file nifi.der -keystore <keystore.jks>
$ openssl x509 -inform der -in nifi.der -out nifi.pem
$ openssl x509 -in nifi.pem -text -noout # displays the cert
$ more nifi.pem # displays the cert in Base64

5. Export server private key from JKS keystore to PEM:

$ keytool -importkeystore -srckeystore <keystore.jks> -destkeystore keystore.p12 -deststoretype PKCS12
$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out nifi.key

6. Export CA cert from JKS keystore to PEM:

$ keytool -export -alias <your_alias> -file ca.der -keystore <truststore.jks>
$ openssl x509 -inform der -in ca.der -out ca.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment