Skip to content

Instantly share code, notes, and snippets.

@kevdoran

kevdoran/tls-certs-nipyapi.md

Created July 18, 2018 14:00
Show Gist options
  • Save kevdoran/70447c312ca955c3a39b15cbfafb5123 to your computer and use it in GitHub Desktop.
Save kevdoran/70447c312ca955c3a39b15cbfafb5123 to your computer and use it in GitHub Desktop.
Download ZIP
NiPyAPI Test certs/keys for TLS
Raw
tls-certs-nipyapi.md

Here are the steps used to generate server/client TLS certs/keys for use with NiFi and NiPyAPI.

# use NiFi tls-toolkit to generate CA, server key/cert, client key/cert
./nifi-toolkit-1.4.0/bin/tls-toolkit.sh standalone --certificateAuthorityHostname localhost  --hostnames localhost --subjectAlternativeNames nifi,registry,secure-nifi,secure-registry --nifiDnSuffix ", OU=nifi" --keyStorePassword localhostKeystorePassword --trustStorePassword localhostTruststorePassword --clientCertDn "CN=user1, OU=nifi" --clientCertPassword clientPassword --days 9999 --outputDirectory nipyapi-tests
 
# change to tls-toolkit output directory
cd ./nipyapi-tests
 
# copy server's key/trust stores
mkdir keys
cp localhost/keystore.jks keys/localhost-ks.jks
cp localhost/truststore.jks keys/localhost-ts.jks
 
# create a Java Key Store (JKS) from the client key
keytool -importkeystore \
  -srckeystore CN=user1_OU=nifi.p12 -srcstoretype PKCS12 -srcstorepass clientPassword \
  -destkeystore keys/client-ks.jks -deststoretype JKS -deststorepass clientPassword -destkeypass clientPassword 
 
# copy keys and certificates from JKS format into PKCS12 format:
cd ./keys
keytool -importkeystore \
  -srckeystore client-ks.jks -srcstoretype jks -srcstorepass clientPassword \
  -destkeystore client-ks.p12 -deststoretype pkcs12 -deststorepass clientPassword
keytool -importkeystore \
  -srckeystore localhost-ts.jks -srcstoretype jks -srcstorepass localhostTruststorePassword \
  -destkeystore localhost-ts.p12 -deststoretype pkcs12 -deststorepass localhostTruststorePassword
  
# copy the CA certificate from PKCS12 format to PEM format:
openssl pkcs12 -in localhost-ts.p12 -passin pass:localhostTruststorePassword -out localhost-ts.pem -nokeys
openssl pkcs12 -in client-ks.p12 -passin pass:clientPassword -out client-cert.pem -nokeys
openssl pkcs12 -in client-ks.p12 -passin pass:clientPassword -out client-key.pem -passout pass:clientPassword

You should now have a directory with the following contents:

keys/
  +-- client-cert.pem   # client public cert (PEM format, unencrypted)
  +-- client-key.pem    # client private key (PEM format, encrypted):  password=clientPassword
  +-- client-ks.jks     # client key/cert keystore (JKS format):     keystorePass=clientPassword, keyPass=clientPassword
  +-- client-ks.pk12    # client key/cert keystore (PKCS12 format):  keystorePass=clientPassword, keyPass=clientPassword
  +-- localhost-ks.jks  # server key/cert keystore (JKS format):     keystorePass=localhostKeystorePassword, keyPass=localhostKeystorePassword
  +-- localhost-ts.jks  # server/client CA cert truststore (JKS format):     truststorePass=localhostTruststorePassword
  +-- localhost-ts.p12  # server/client CA cert truststore (PKCS12 format):  truststorePass=localhostTruststorePassword
  +-- localhost-ts.pem  # server/client CA cert truststore (PEM format):     truststorePass=localhostTruststorePassword

You can verify the contents of these keystores using the following commands:

keytool -list -v -keystore keys/client-ks.jks -storepass clientPassword
keytool -list -v -keystore keys/localhost-ks.jks -storepass localhostKeystorePassword
keytool -list -v -keystore keys/localhost-ts.jks -storepass localhostTruststorePassword
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment