Self-Signed Certificates
These Certificates are provided by RequiTest, Inc. and are for test purposes only. They should not be used in production environments.
Available Files
keystore.jks
- password (both keystore and key) is 'changeme'
- certificate dn is 'CN=localhost, OU=Demo, O=NiFi'
- use this as the keystore when securing test NiFi instances
- password is 'testPass'
- certificate dn is 'CN=NiFi Admin, OU=Demo, O=NiFi'
- import the .p12 certificate into the browser of your choice to connect to secure NiFi instances as the NiFi Admin user
- password is 'testPass'
- certificate dn is 'CN=NiFi User, OU=Demo, O=NiFi'
- import the .p12 certificate into the browser of your choice to connect to secure NiFi instances as the NiFi User user
- password is 'changeme'
- configured to trust the keystore, nifiadmin, and nifiuser certificates
Creating Self-Signed Certificates
To create your own certificates using Java's keytool command, follow the instructions below:
1. Create a JKS file
1. Create a JKS file
keytool -genkey -alias <someAlias> -keyalg RSA -keystore <keystore> -storepass <keystorePassword> -dname "<dname>" -validity 3650- <someAlias> - an alias to help identify the keystore
- <keystore> - the filename (i.e. keystore.jks)
- <keystorePassword> - the password for the keystore
- <dname> - the Distinguished Name for the keystore in the form of "Field=Value, Field=Value, Field=Value" using the following table to determine appropriate fields and values
| Field | Description |
|---|---|
| CN | Common Name (Identifies the person or system) |
| OU | Organizational Unit |
| O | Organization |
| L | Locality (city, county, township, or other geographic region) |
| ST | State or province name |
| C | Country digraph |
| DC | Domain Component (i.e. for example.com would be dc=example, dc=com) |
- -validity - optional field that indicates for how many days the certificate should be valid
2. Extract the certificate file from the newly created keystore.
keytool -export -alias <someAlias> -file <keystoreCert> -keystore <keystore>- <someAlias> - same alias used to create the keystore
- <keystoreCert> - the certificate destination file
- <keystore> - the keystore file created in step 1
3. Import the certificate into the truststore.
keytool -import -v -trustcacerts -keystore <truststore> -alias <someAlias> -storepass <storePassword> -file <keystoreCert> -noprompt- <truststore> - the filename for the truststore into which you will import the certificate (if it doesn't exist, it will be created)
- <someAlias> - same alias used to create the certificate to be imported
- <storePassword> - the password to use for the truststore
- <keystoreCert> - the certificate file created in step 2
- -noprompt - tells keytool to just trust the cert without asking if it should be trusted
4. Create a .p12 file for importing into the browser
keytool -importkeystore -srckeystore <keystore> -destkeystore <p12Keystore> -srcstoretype JKS -deststoretype PKCS12 -srcstorepass <keystorePassword> -deststorepass <p12Password> -srcalias <someAlias> -destalias <p12Alias> -srckeypass <keystoreKeyPass> -destkeypass <p12KeyPass> -noprompt- <keystore> - the keystore file
- <p12Keystore> - the destination .p12 file
- <keystorePassword> - the password for the keystore file
- <p12Password> - the password for the .p12 file
- <someAlias> - the keystore alias
- <p12Alias> - the desired .p12 alias
- <keystoreKeyPass> - the keystore key password (typically identical to the keystorePassword unless configured differently when creating the keystore)
- <p12KeyPass> - the .p12 key password
