Skip to content

Instantly share code, notes, and snippets.

@mike11339
Forked from alopresto/cert_commands.md
Created August 9, 2021 21:12
Show Gist options
  • Save mike11339/9ca0c6887bf142997cb0693ae67cc7b0 to your computer and use it in GitHub Desktop.
Save mike11339/9ca0c6887bf142997cb0693ae67cc7b0 to your computer and use it in GitHub Desktop.
Commonly used certificate and keystore commands for verifying Apache NiFi API/UI TLS MA connections.

Certificate and key commands

1. Verify connection:

$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>

2. Export client cert from PKCS12 keystore to PEM:

$ openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -out client.der -nodes
$ openssl x509 -inform der -in client.der -out client.pem

3. Export client private key from PKCS12 keystore to PEM:

$ openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -nodes -nocerts -out client.key

4. Export server cert from JKS keystore to PEM:

$ keytool -export -alias <your_alias> -file nifi.der -keystore <keystore.jks>
$ openssl x509 -inform der -in nifi.der -out nifi.pem
$ openssl x509 -in nifi.pem -text -noout # displays the cert
$ more nifi.pem # displays the cert in Base64

5. Export server private key from JKS keystore to PEM:

$ keytool -importkeystore -srckeystore <keystore.jks> -destkeystore keystore.p12 -deststoretype PKCS12
$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out nifi.key

6. Export CA cert from JKS keystore to PEM:

$ keytool -export -alias <your_alias> -file ca.der -keystore <truststore.jks>
$ openssl x509 -inform der -in ca.der -out ca.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment