NIFIREG-220 New test certs
Replacing the test TLS certs in the source code repository
with new certs that were signed by a tracked CA key. Also
adding instructions for generating additional keys in the
future if needed.
Corrections to README based on peer-review feedback
Updated shell script in README to create uniq working dir
This closes #153.
Signed-off-by: Andy LoPresto <alopresto@apache.org>
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureFile.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureFile.properties
index 3ea5398..cea51c6 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureFile.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureFile.properties
@@ -28,9 +28,9 @@
# Embedded Server SSL Context Config
server.ssl.client-auth: need
-server.ssl.key-store: ./target/test-classes/keys/localhost-ks.jks
-server.ssl.key-store-password: localhostKeystorePassword
-server.ssl.key-password: localhostKeystorePassword
+server.ssl.key-store: ./target/test-classes/keys/registry-ks.jks
+server.ssl.key-store-password: password
+server.ssl.key-password: password
server.ssl.protocol: TLS
-server.ssl.trust-store: ./target/test-classes/keys/localhost-ts.jks
-server.ssl.trust-store-password: localhostTruststorePassword
+server.ssl.trust-store: ./target/test-classes/keys/ca-ts.jks
+server.ssl.trust-store-password: password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureKerberos.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureKerberos.properties
index 6ce3665..fb1c928 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureKerberos.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureKerberos.properties
@@ -27,10 +27,10 @@
# Embedded Server SSL Context Config
-#server.ssl.client-auth: need # LDAP-configured server does not require two-way TLS
-server.ssl.key-store: ./target/test-classes/keys/localhost-ks.jks
-server.ssl.key-store-password: localhostKeystorePassword
-server.ssl.key-password: localhostKeystorePassword
+#server.ssl.client-auth: need # server does not require two-way TLS
+server.ssl.key-store: ./target/test-classes/keys/registry-ks.jks
+server.ssl.key-store-password: password
+server.ssl.key-password: password
server.ssl.protocol: TLS
-server.ssl.trust-store: ./target/test-classes/keys/localhost-ts.jks
-server.ssl.trust-store-password: localhostTruststorePassword
+server.ssl.trust-store: ./target/test-classes/keys/ca-ts.jks
+server.ssl.trust-store-password: password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureLdap.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureLdap.properties
index ffcc43e..25b749d 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureLdap.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureLdap.properties
@@ -28,12 +28,12 @@
# Embedded Server SSL Context Config
#server.ssl.client-auth: need # LDAP-configured server does not require two-way TLS
-server.ssl.key-store: ./target/test-classes/keys/localhost-ks.jks
-server.ssl.key-store-password: localhostKeystorePassword
-server.ssl.key-password: localhostKeystorePassword
+server.ssl.key-store: ./target/test-classes/keys/registry-ks.jks
+server.ssl.key-store-password: password
+server.ssl.key-password: password
server.ssl.protocol: TLS
-server.ssl.trust-store: ./target/test-classes/keys/localhost-ts.jks
-server.ssl.trust-store-password: localhostTruststorePassword
+server.ssl.trust-store: ./target/test-classes/keys/ca-ts.jks
+server.ssl.trust-store-password: password
# Embedded LDAP Config
spring.ldap.embedded.base-dn: dc=example,dc=com
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-file/nifi-registry-client.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-file/nifi-registry-client.properties
index 8eb6b56..5a31413 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-file/nifi-registry-client.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-file/nifi-registry-client.properties
@@ -16,10 +16,10 @@
#
# client security properties #
-nifi.registry.security.keystore=./target/test-classes/keys/client-ks.jks
+nifi.registry.security.keystore=./target/test-classes/keys/user1-ks.jks
nifi.registry.security.keystoreType=JKS
-nifi.registry.security.keystorePasswd=clientKeystorePassword
-nifi.registry.security.keyPasswd=u1Pass
-nifi.registry.security.truststore=./target/test-classes/keys/localhost-ts.jks
+nifi.registry.security.keystorePasswd=password
+nifi.registry.security.keyPasswd=password
+nifi.registry.security.truststore=./target/test-classes/keys/ca-ts.jks
nifi.registry.security.truststoreType=JKS
-nifi.registry.security.truststorePasswd=localhostTruststorePassword
+nifi.registry.security.truststorePasswd=password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/nifi-registry-client.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/nifi-registry-client.properties
index f431ccc..59f1243 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/nifi-registry-client.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/nifi-registry-client.properties
@@ -17,6 +17,6 @@
# client security properties #
# Don't use a client cert for one-way TLS. Client identity will be provided via Kerberos SPNEGO to get JWT
-nifi.registry.security.truststore=./target/test-classes/keys/localhost-ts.jks
+nifi.registry.security.truststore=./target/test-classes/keys/ca-ts.jks
nifi.registry.security.truststoreType=JKS
-nifi.registry.security.truststorePasswd=localhostTruststorePassword
+nifi.registry.security.truststorePasswd=password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-ldap/nifi-registry-client.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-ldap/nifi-registry-client.properties
index 68cb0f9..996e6d5 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-ldap/nifi-registry-client.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-ldap/nifi-registry-client.properties
@@ -17,6 +17,6 @@
# client security properties #
# Don't use a client cert for one-way TLS. Client identity will be provided via LDAP user/pass to get JWT
-nifi.registry.security.truststore=./target/test-classes/keys/localhost-ts.jks
+nifi.registry.security.truststore=./target/test-classes/keys/ca-ts.jks
nifi.registry.security.truststoreType=JKS
-nifi.registry.security.truststorePasswd=localhostTruststorePassword
+nifi.registry.security.truststorePasswd=password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/README.md b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/README.md
index c3059cf..24460cd 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/README.md
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/README.md
@@ -12,36 +12,234 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-# Integration Test Keys
+# Test Keys
-The integration tests that run a secure NiFi require keystores and truststores for the server and client in order
-to establish a two-way TLS connection.
+The automated security tests require keys and certificates for TLS connections.
+The keys in this directory can be used for that purpose.
-The keys/certs for these tests were generated with the tls-toolkit included with NiFi Toolkit v1.4.0.
+***
-The steps for generating replacements are:
+**NOTICE**: This directory contains keys and certificates for *development and testing* purposes only.
- # use NiFi tls-toolkit to generate CA, server key/cert, client key/cert
- ./nifi-toolkit-1.4.0/bin/tls-toolkit.sh standalone --certificateAuthorityHostname localhost --hostnames localhost --nifiDnSuffix ", OU=nifi" --keyStorePassword localhostKeystorePassword --trustStorePassword localhostTruststorePassword --clientCertDn "CN=user1, OU=nifi" --clientCertPassword u1Pass --days 3650 --outputDirectory nifireg-integrationtest
+**Never use these keystores and truststores in a real-world scenario where actual security is needed.**
- # change to tls-toolkit output directory
- cd ./nifireg-integrationtest
+The CA and private keys (including their protection passwords) have been published on the Internet, so they should never be trusted.
- # copy server's key/trust stores
- mkdir keys
- cp localhost/keystore.jks keys/localhost-ks.jks
- cp localhost/truststore.jks keys/localhost-ts.jks
+***
- # create a Java Key Store (JKS) from the client key
- keytool -importkeystore -destkeystore keys/client-ks.jks -deststorepass clientKeystorePassword -destkeypass u1Pass -srckeystore CN=user1_OU=nifi.p12 -srcstorepass u1Pass -srcstoretype PKCS12
+## Directory Contents
+
+### Certificate Authority (CA)
+
+| Hostname / DN | File | Description | Format | Password |
+| --- | --- | --- | --- | --- |
+| - | ca-cert.pem | CA public cert | PEM (unencrypted) | N/A |
+| - | ca-key.pem | CA private (signing) key | PEM | password |
+| - | ca-ts.jks | CA cert truststore (shared by clients and servers) | JKS | password |
+| - | ca-ts.p12 | CA cert truststore (shared by clients and servers) | PKCS12 | password |
+| registry, localhost | registry-cert.pem | NiFi Registry server public cert | PEM (unencrypted) | N/A |
+| registry, localhost | registry-key.pem | NiFi Registry server private key | PEM | password |
+| registry, localhost | registry-ks.jks | NiFi Registry server key/cert keystore | JKS | password |
+| registry, localhost | registry-ks.p12 | NiFi Registry server key/cert keystore | PKCS12 | password |
+| CN=user1, OU=nifi | user1-cert.pem | client (user="user1") public cert | PEM (unencrypted) | N/A |
+| CN=user1, OU=nifi | user1-key.pem | client (user="user1") private key | PEM | password |
+| CN=user1, OU=nifi | user1-ks.jks | client (user="user1") key/cert keystore | JKS | password |
+| CN=user1, OU=nifi | user1-ks.p12 | client (user="user1") key/cert keystore | PKCS12 | password |
+
+## Generating Additional Test Keys/Certs
+
+If we need to add a service or user to our test environment that requires a cert signed by the same CA, here are the steps for generating additional keys for this directory that are signed by the same CA key.
+
+Requirements:
+
+- docker
+- keytool (included with Java)
+- openssl (included/available on most platforms)
+
+If you do not have docker, you can substitute the nifi-toolkit binary, which is available for download from https://nifi.apache.org and should run on any platform with Java 1.8.
+
+### New Service Keys
+
+The steps for generating a new service key/cert pair are (using `proxy` as the example service):
+
+```
+# make working directory
+WD="/tmp/test-keys-$(date +"%Y%m%d-%H%M%S")"
+mkdir "$WD"
+cd "$WD"
+
+# copy existing CA key/cert pair to working directory, rename to default tls-toolkit names
+cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem ./nifi-key.key
+cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem ./nifi-cert.pem
+
+# use NiFi Toolkit Docker image to generate new keys/certs
+docker run -v "$WD":/tmp -w /tmp apache/nifi-toolkit:latest tls-toolkit standalone \
+ --hostnames proxy \
+ --subjectAlternativeNames localhost \
+ --nifiDnSuffix ", OU=nifi" \
+ --keyStorePassword password \
+ --trustStorePassword password \
+ --days 9999 \
+ -O
+
+# switch to output directory, create final output directory
+cd "$WD"
+mkdir keys
+
+# copy new service key/cert to final output dir in all formats
+keytool -importkeystore \
+ -srckeystore proxy/keystore.jks -srcstoretype jks -srcstorepass password -srcalias nifi-key \
+ -destkeystore keys/proxy-ks.jks -deststoretype jks -deststorepass password -destalias proxy-key
+keytool -importkeystore \
+ -srckeystore keys/proxy-ks.jks -srcstoretype jks -srcstorepass password \
+ -destkeystore keys/proxy-ks.p12 -deststoretype pkcs12 -deststorepass password
+openssl pkcs12 -in keys/proxy-ks.p12 -passin pass:password -out keys/proxy-key.pem -passout pass:password
+openssl pkcs12 -in keys/proxy-ks.p12 -passin pass:password -out keys/proxy-cert.pem -nokeys
+
+echo
+echo "New keys written to ${WD}/keys"
+echo "Copy to NiFi Registry test keys dir by running: "
+echo " cp \"$WD/keys/*\" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/"
+```
+
+You can verify the contents of the new keystore (and that the signature is done by the correct CA) using the following command:
+
+ keytool -list -v -keystore "$WD/keys/proxy-ks.jks" -storepass password
+
+If you are satisfied with the results, you can copy the files from `/tmp/test-keys-YYYYMMDD-HHMMSS/keys` to this directory:
+
+ cp "$WD/keys/*" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/
+
+### New Client or User Keys
+
+The steps for generating a new user key/cert pair are (using `user2` as the example user):
+
+```
+# make working directory
+WD="/tmp/test-keys-$(date +"%Y%m%d-%H%M%S")"
+mkdir "$WD"
+cd "$WD"
+
+# copy existing CA key/cert pair to working directory, rename to default tls-toolkit names
+cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem ./nifi-key.key
+cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem ./nifi-cert.pem
+
+# use NiFi Toolkit Docker image to generate new keys/certs
+docker run -v "$WD":/tmp -w /tmp apache/nifi-toolkit:latest tls-toolkit standalone \
+ --clientCertDn "CN=user2, OU=nifi" \
+ --clientCertPassword password \
+ --days 9999 \
+ -O
+
+# switch to output directory, create final output directory
+cd "$WD"
+mkdir keys
+
+# transform tls-toolkit output to final output
+keytool -importkeystore \
+ -srckeystore CN=user2_OU=nifi.p12 -srcstoretype PKCS12 -srcstorepass password -srcalias nifi-key \
+ -destkeystore keys/user2-ks.jks -deststoretype JKS -deststorepass password -destalias user2-key
+keytool -importkeystore \
+ -srckeystore keys/user2-ks.jks -srcstoretype jks -srcstorepass password \
+ -destkeystore keys/user2-ks.p12 -deststoretype pkcs12 -deststorepass password
+openssl pkcs12 -in keys/user2-ks.p12 -passin pass:password -out keys/user2-key.pem -passout pass:password
+openssl pkcs12 -in keys/user2-ks.p12 -passin pass:password -out keys/user2-cert.pem -nokeys
+
+echo
+echo "New keys written to ${WD}/keys"
+echo "Copy to NiFi Registry test keys dir by running: "
+echo " cp \"$WD/keys/*\" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/"
+```
+
+You can verify the contents of the new keystore (and that the signature is done by the correct CA) using the following command:
+
+ keytool -list -v -keystore "$WD/keys/user2-ks.jks" -storepass password
+
+If you are satisfied with the results, you can copy the files from `/tmp/test-keys-YYYYMMDD-HHMMSS/keys` to this directory:
+
+ cp "$WD/keys/*" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/
-You should now have a directory with the following contents:
+## Regenerating All Test Keys/Certs
- keys/
- +-- client-ks.jks # client keystore: keystorePass=clientKeystorePassword, keyPass=u1Pass
- +-- localhost-ks.jks # server keystore: keystorePass=localhostKeystorePassword, keyPass=localhostKeystorePassword
- +-- localhost-ts.jks # server/client truststore (contains CA): truststorePass=localhostTruststorePassword
+In case you need to regenerate this entire directory, here are the steps that were used to first create it.
+Follow these steps in order to recreate it.
-Copy these files to the test/resources/keys/ directory.
+Requirements:
+- docker
+- keytool (included with Java)
+- openssl (included/available on most platforms)
+
+If you do not have docker, you can substitute the nifi-toolkit binary, which is available for download from https://nifi.apache.org and should run on any platform with Java 1.8.
+
+The steps for regenerating these test keys are:
+
+```
+# make working directory
+WD="/tmp/test-keys-$(date +"%Y%m%d-%H%M%S")"
+mkdir "$WD"
+cd "$WD"
+
+# use NiFi Toolkit Docker image to generate new keys/certs
+docker run -v "$WD":/tmp -w /tmp apache/nifi-toolkit:latest tls-toolkit standalone \
+ --certificateAuthorityHostname "Test CA (Do Not Trust)" \
+ --hostnames registry \
+ --subjectAlternativeNames localhost \
+ --nifiDnSuffix ", OU=nifi" \
+ --keyStorePassword password \
+ --trustStorePassword password \
+ --clientCertDn "CN=user1, OU=nifi" \
+ --clientCertPassword password \
+ --days 9999 \
+ -O
+
+# switch to output directory, create final output directory
+cd "$WD"
+mkdir keys
+
+# copy CA key/cert to final output dir in all formats
+cp nifi-key.key keys/ca-key.pem
+cp nifi-cert.pem keys/ca-cert.pem
+keytool -importkeystore \
+ -srckeystore registry/truststore.jks -srcstoretype jks -srcstorepass password -srcalias nifi-cert \
+ -destkeystore keys/ca-ts.jks -deststoretype jks -deststorepass password -destalias ca-cert
+keytool -importkeystore \
+ -srckeystore keys/ca-ts.jks -srcstoretype jks -srcstorepass password \
+ -destkeystore keys/ca-ts.p12 -deststoretype pkcs12 -deststorepass password
+
+# copy registry service key/cert to final output dir in all formats
+keytool -importkeystore \
+ -srckeystore registry/keystore.jks -srcstoretype jks -srcstorepass password -srcalias nifi-key \
+ -destkeystore keys/registry-ks.jks -deststoretype jks -deststorepass password -destalias registry-key
+keytool -importkeystore \
+ -srckeystore keys/registry-ks.jks -srcstoretype jks -srcstorepass password \
+ -destkeystore keys/registry-ks.p12 -deststoretype pkcs12 -deststorepass password
+openssl pkcs12 -in keys/registry-ks.p12 -passin pass:password -out keys/registry-key.pem -passout pass:password
+openssl pkcs12 -in keys/registry-ks.p12 -passin pass:password -out keys/registry-cert.pem -nokeys
+
+# copy user1 client key/cert to final output dir in all formats
+keytool -importkeystore \
+ -srckeystore CN=user1_OU=nifi.p12 -srcstoretype PKCS12 -srcstorepass password -srcalias nifi-key \
+ -destkeystore keys/user1-ks.jks -deststoretype JKS -deststorepass password -destkeypass password -destalias user1-key
+keytool -importkeystore \
+ -srckeystore keys/user1-ks.jks -srcstoretype jks -srcstorepass password \
+ -destkeystore keys/user1-ks.p12 -deststoretype pkcs12 -deststorepass password
+openssl pkcs12 -in keys/user1-ks.p12 -passin pass:password -out keys/user1-key.pem -passout pass:password
+openssl pkcs12 -in keys/user1-ks.p12 -passin pass:password -out keys/user1-cert.pem -nokeys
+
+echo
+echo "New keys written to ${WD}/keys"
+echo "Copy to NiFi Registry test keys dir by running: "
+echo " cp -f \"$WD/keys/*\" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/"
+```
+
+You should now have a `/tmp/test-keys-YYYYMMDD-HHMMSS/keys` directory with all the necessary keys for testing with various tools.
+
+You can verify the contents of a keystore using the following command:
+
+ keytool -list -v -keystore "$WD/keys/registry-ks.jks" -storepass password
+
+If you are satisfied with the results, you can copy the files from `/tmp/test-keys-YYYYMMDD-HHMMSS/keys` to this directory:
+
+ cp -f "$WD/keys/*" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem
new file mode 100644
index 0000000..c882f4e
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem
new file mode 100644
index 0000000..27d34eb
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAi/uVWAZEcZpiYqR5MmkXMCnpADsCeKT+7Vr7WeAYVZ/17qVG
+RJfpRL6c9sNEsmlKQ7Rz7+/wHAAoGIdQVoYX1dXti9f3bH8Zvf8WJ1K74cBb/D+R
+4hnw8e9dsy1O8S6v6djWFIO+yx3DWcBgAH0Mbbod1FKDlzUNiAcuT1YINa4iylSf
+fVgJvSVK1ZZsczneLzEt95Xch07D0/f53xuinNRSOTaq5LHF6S/MsILV7XhywkYY
+goumVFSr7NZGCQZgXwWTH6RgYvrax6EB1VxuXGPCdeeaU8e+XF5pyWwBWfgsJCOB
+DOy3MC/6zuw1ILEdtri8C6yzNbE4WIzVWTxW9wIDAQABAoIBAC3qizVBcQf2hRko
+LB0N/a4twSDzOj9Kl9hRhKsZZ8IGY0wxaFgtoDWNdL04lfsTsGl+8pycjp0QrBZH
+pGGNQJpCvtWlNKKhGleJKcIiUECfsUyPqZGJwtAJHSodzYwtLUS+fJJkGJxVmfOB
+t7vRSNdhOlGf80wQ+exJtrYNWUoJ4oIjsYwObG1b5MuRU640zeamPa2DXlu7Ai6V
+Fj7wWo5cI0Yawzb9OO/zSSM1hdP5rypQcCn7K2ybZGYNOKqanY43IDyWQj+JUysF
+S+fFSuyv2FGifgSsxpGjuXoX6+oO1PDNhCQYnQjwoenQ6SHmBIqAhKv+VRCQUCsj
+IP3ZD/kCgYEA6wYIExk1khOiBvXqlap9Bt+T43k5bp0J1x0RPJHDvXzEiVvsv0mN
+Ft/EyvWoJvwxr6mtX9uVHdblQJao/ShCipdLeDGtMbHL8NH4PefBe+mkrHr/4/Yk
+3cgofkp/OKrA6Cwrkis7ishZ/5QwjE9lcwRQuK5TPx16zomghd0VVCMCgYEAmHn/
+pWoHnp4vDqweByme3aELQ2w8TSc8smQMuuVx+x+4TuGfgQC7DhPb9Yqdy0d0AFec
+IiVVYXG4JTCAovgLAtgwQd/M33pxv6r8ji8EXa+N/5YNmQ5+bxWth2TaKKHw1nwm
+IJ3gFHyJe2WSDSBU19Ybkcw7D9xd/SkRZHfgZR0CgYEAuibj3GS6RsKgMo0zymno
+b7pFBAavk8p00dqnHWeDN6IMdZPG+FhElVqWH//luUNGA5IMzgE5ohHlMXxjy2jJ
+E8b0MvZ97P+bvlpBGp9nZENSeH9QEXqUBsqUMDvHetXcx8i8liECH1HD3yi8L1Zv
+z2MaoL0LGNG7xL3D1GOhkisCgYBfDL42yZASax1+kgDuCh4Ent28m/5DQlBuDDx7
+TYjuOOnWEoQyENiKgArAWDbhf5tqkzK7fnZpFlDqrf+il+mVTltW1UKLlXLPPrHN
+mLWqCUQFre6wGP7sFKFmI5Jzfe/6ZM4HyyLi4nd5uul+0UbSfaAWFTBEROU6aZ1z
++d6iaQKBgQClbxwJXed8LIH7sdcpUDz+sLZtcU2CBeaFvgWXN7V/pYATi2TvfN9p
+8xMNUWsdTU7+2i9skzljlJ4vjEoY3cJ3Wki6cop7k6XqMGKV5oToZjwKjWGt2sp1
+8N72VtkU2o4gvK4HMIlbDIgrmNmXqLMRa6JJcRa2FPH4Xsi6NFrQPQ==
+-----END RSA PRIVATE KEY-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.jks
new file mode 100644
index 0000000..3fe89fa
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.jks
Binary files differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.p12 b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.p12
new file mode 100644
index 0000000..b5fc9e7
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.p12
Binary files differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/client-ks.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/client-ks.jks
deleted file mode 100644
index f2e0a1a..0000000
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/client-ks.jks
+++ /dev/null
Binary files differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ks.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ks.jks
deleted file mode 100644
index 7421aaa..0000000
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ks.jks
+++ /dev/null
Binary files differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ts.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ts.jks
deleted file mode 100644
index 21eb2c0..0000000
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ts.jks
+++ /dev/null
Binary files differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-cert.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-cert.pem
new file mode 100644
index 0000000..026e3eb
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-cert.pem
@@ -0,0 +1,51 @@
+Bag Attributes
+ friendlyName: registry-key
+ localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 36 32 31 34
+subject=/OU=nifi/CN=registry
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIKAWfClyHCAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owIjENMAsGA1UECwwEbmlmaTERMA8G
+A1UEAwwIcmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4
+OYy3dRjERT7HcighqGW3eb4I0DfweWJ42/uf94/hMFSIQPo/lJetomhFSGiswRCN
+Y9ybWMaB0jPL7ksJQJLzUTKOQvH08Ml/MaiwsRHlGlD+8LqTma0jT+vdhdcypZ+B
+m5x6ozC5mZB1QqDYwXN21YR7IGYDMAdZ0OQuMreC+u7+fZ4LZLTFeKajWJSZ3fnv
+UKtYN05OUr8HZXk6Cc0vys7YZZeIQ5vKdbDjNSEt1yixfvp468KzFSNOCYtLStcL
+bDq4MBhxplQXTVJie1ofYnc8pYAG8BP1IPusfJ/NxCpk4pzSjFKC/GI0QfqcTVWA
+REUmTFpRZGykWsx0aBPFAgMBAAGjgZ0wgZowHQYDVR0OBBYEFB2WLWWv5ubjziz6
+2IfJcs3Spy2kMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMA4GA1Ud
+DwEB/wQEAwID+DAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
+BQcDATAeBgNVHREEFzAVgghyZWdpc3RyeYIJbG9jYWxob3N0MA0GCSqGSIb3DQEB
+CwUAA4IBAQAe5BReiXYEzM8ef7Wcl7DBLSh0Q5tWAl8Z4xCrOlNHjHM6GEZirJmh
+ww6W1wDth/kftZnptjxAP21SbdjzmgDRcRu2wqZSHeWP6lL53BfegE/AFaBwTlOE
+2nESoGIDl1vROMFFOnzR2ZJWmSoUDk/4oVFLZYAabUZKjfUZTjz99O7Pk4GiySrg
+c7/xKnYx8x91+jqFjpIgR/pkvrTPaPkAtgs68a5YxGT8yHH0wA1Ve+3zmqkQbg9g
+fDimZ4fgaorS0JzuqiZbIyzxu7Q6G506Lu34l5NA2qZQzdTm8g98ksli7DMazc8n
+8o68bZD9szMrvGiVCx/ujtiu2GG1y187
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: CN=Test CA (Do Not Trust),OU=nifi
+subject=/OU=nifi/CN=Test CA (Do Not Trust)
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-key.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-key.pem
new file mode 100644
index 0000000..e2e48e7
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-key.pem
@@ -0,0 +1,85 @@
+Bag Attributes
+ friendlyName: registry-key
+ localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 36 32 31 34
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIq3tPUSgTjYoCAggA
+MBQGCCqGSIb3DQMHBAjQRc2FRduPPwSCBMh1unFOz4EL+BfzTMsHc//QDhof+/ey
+4voz/DqHsPnxSXGCxDJc51OnyINIRZsIVaJVDxcKbwMtoLEVasGw54oYeTRSkJ7l
+56dTEvHHBx9/ksdcKGshCfA2hBI5YMiWXjk477+iKI7AhoHXt5azk65NUG4+CU/X
+FuqzAcXfwtktfl/nyl5U7j+Kh7cVpV0XEINUyjBiqKjTkAMn/+GMOUN0Tb/hYtZo
+P8bz8cqQiLIdoQzqVJmVkS4cXhUcD0a2wJ9ptPz+Mss4VOl7812R30kBB1figNIy
+V7hzC7vJpECQoCkqvDDfJBmyjSA5JDaVQMyXyrpP1nrRDdKOqufYbA93ojm1AA+h
+eCXWtqWcLVgUHEQz6hzrxcigyv+iR29xA58wB+/GBs2GIgrpfA5kKK9QiI1WsAT0
+B7mLEhzACtfctuWkcHsY7GEHKdweVBGkRzMFjdNpO4mYDyp9x7Xc2AVxENyfdZIA
+e3JNRMK3yQHOr4oAk1YnU7h4Dzw4dsbLetixSsPtn+5PpoulUKqd7VLqQb62Fzlt
+FquphwZesdmLZLm6igMXfAb6JzPIXg8HQGubX8MHWdbtHlkPOnZ6YQ1MOZvX8PGB
+2TY76c7O5lBU2Az/jcSSh0Y4vuf55mTLEdnvsIuwrlITitZFTM4fOpFTbP+g4MEy
+L4KtUP8TnezsNCitxQSOnzBHkZ52Ik6aL+macjS0UgPiku9P4aC0kpszAXZUuumQ
+PdgcEIH8dJ6/wvs7hBHHlR4xLbj6nOQ5rz6Cxx0Ozb+F8oi5WcwoeSUNz9z51Z52
+ENj3BQ8G672KtKRJ8h2csGt6SAH0sjjjzThiKk9e4o1/la6/6D5mQsRUxgGbZ/pw
+ewtPkFIPa9s+XRvlIu9QBKaqvIZ3aRARvtdUOiap2XOGkqPLmeLBQ8yCvqDczkwV
+f5dg8zcE817bfe5NcAUQyOrT8A+ANpjLZNwKK7B1tg5Q7S3G+u9MeSSR6xMyw+ce
+04eVo3+rtFia7gMnL1covgA46jBufl6to1AwSPHkbooVKdPUODPG8FKKpJSjHOUz
+WGNx8+QXXsvZyWw2betA6eT2lJuSfKct5QSpwImLFjH0xjwpSu0dvQK3N6IvpLkR
+lei0ATBjZ5ekRRpGowDJJlFE3LKU2BkVMikl6/c3Ap89/EKdIeN3odVtA7GPDHyy
+Vxh0sywOdatL46HI2EvMlMbIFX0BvJVZQ68BZ8UxmucrzC6G+hoVzMk18vSDm3s/
+Ydj5FiUuBSL36x9sQmzQXk2XvQscHCYnMX7H4F5TVaarfp1xQS36H3P6rUXcDRhp
++EM6P/YkQkelGIc+t2AcHwcYeISzqVIXBzMQfAaiR2YsQc/27mM/mkI+wT14WfxN
+cf47ver5OBc2xfKScp4dJpWMVe/gZEAiyVlSw5gZXGP/CbunBNVhldSl8lh/nCpc
+WJrmnRe5wyx9+OKoyEI8w9fE5c1Pwct33oeMnaKdpI8g/eDBARZkz1Tousso9a+K
+5YmqHpOhQkEMxCrhxF+yY+XmoLCIPg0B+EX5IWZfHGL5Etm5FhcijzFw86z2QHZ+
+JUINfPR1WnN8lNoUFA4w/MTv0wREeWD6cF/bzYQQDrnzdl5tznYSFF5xAEb5KrlH
+aGA=
+-----END ENCRYPTED PRIVATE KEY-----
+Bag Attributes
+ friendlyName: registry-key
+ localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 36 32 31 34
+subject=/OU=nifi/CN=registry
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIKAWfClyHCAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owIjENMAsGA1UECwwEbmlmaTERMA8G
+A1UEAwwIcmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4
+OYy3dRjERT7HcighqGW3eb4I0DfweWJ42/uf94/hMFSIQPo/lJetomhFSGiswRCN
+Y9ybWMaB0jPL7ksJQJLzUTKOQvH08Ml/MaiwsRHlGlD+8LqTma0jT+vdhdcypZ+B
+m5x6ozC5mZB1QqDYwXN21YR7IGYDMAdZ0OQuMreC+u7+fZ4LZLTFeKajWJSZ3fnv
+UKtYN05OUr8HZXk6Cc0vys7YZZeIQ5vKdbDjNSEt1yixfvp468KzFSNOCYtLStcL
+bDq4MBhxplQXTVJie1ofYnc8pYAG8BP1IPusfJ/NxCpk4pzSjFKC/GI0QfqcTVWA
+REUmTFpRZGykWsx0aBPFAgMBAAGjgZ0wgZowHQYDVR0OBBYEFB2WLWWv5ubjziz6
+2IfJcs3Spy2kMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMA4GA1Ud
+DwEB/wQEAwID+DAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
+BQcDATAeBgNVHREEFzAVgghyZWdpc3RyeYIJbG9jYWxob3N0MA0GCSqGSIb3DQEB
+CwUAA4IBAQAe5BReiXYEzM8ef7Wcl7DBLSh0Q5tWAl8Z4xCrOlNHjHM6GEZirJmh
+ww6W1wDth/kftZnptjxAP21SbdjzmgDRcRu2wqZSHeWP6lL53BfegE/AFaBwTlOE
+2nESoGIDl1vROMFFOnzR2ZJWmSoUDk/4oVFLZYAabUZKjfUZTjz99O7Pk4GiySrg
+c7/xKnYx8x91+jqFjpIgR/pkvrTPaPkAtgs68a5YxGT8yHH0wA1Ve+3zmqkQbg9g
+fDimZ4fgaorS0JzuqiZbIyzxu7Q6G506Lu34l5NA2qZQzdTm8g98ksli7DMazc8n
+8o68bZD9szMrvGiVCx/ujtiu2GG1y187
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: CN=Test CA (Do Not Trust),OU=nifi
+subject=/OU=nifi/CN=Test CA (Do Not Trust)
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.jks
new file mode 100644
index 0000000..0bc06d7
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.jks
Binary files differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.p12 b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.p12
new file mode 100644
index 0000000..0f10f89
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.p12
Binary files differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-cert.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-cert.pem
new file mode 100644
index 0000000..dfecaec
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-cert.pem
@@ -0,0 +1,50 @@
+Bag Attributes
+ friendlyName: user1-key
+ localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 38 38 33 36
+subject=/OU=nifi/CN=user1
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIKAWfClyTXAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyNFoXDTQ2MDUwNDE4MzIyNFowHzENMAsGA1UECwwEbmlmaTEOMAwG
+A1UEAwwFdXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKSsvi
+WSrOIDjF+drgVnrB1QYk1dNeQp64nE7ffzlPoEOWbNQzho+JTp1D9XI9+IBUmSTW
+f4JeYDs0gTpbfwzVmsLI30u/a0wUgERM3+8fl9XwrSJ4blkG4A8az4i3CFjObOYA
+6znDclHLGcmWthwjxQ50n/BjTUGHJFpK/1/uLLgfeJreP73RdTm8fPMRj9H1JhpV
+/UsP4w0EJX3sr2acKW34w+edkQgbGxxg2+dAokb/ODrO6/wntbYaFJguCEe5jQL+
+bfSVMiix99RjTeflFaKU0fQI0GYbcf6wmz9JUEvX9JXiclVyu9daV6jUgKJcg6SJ
+Aqjx5boVrUFH1J4zAgMBAAGjfDB6MB0GA1UdDgQWBBRjObpZQdsXe5pq7k501MOU
+5ChXezAfBgNVHSMEGDAWgBTbpLdIynbiSsoPBfnP949MNgHJxzAOBgNVHQ8BAf8E
+BAMCA/gwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBADPa3w6bgNuY8oTRxzinXRCJKFFiVDM0SI3K0qEo
+4Evg5np1xgIou6p4k9QHAmbb0wnVdOJQ+74PXpm1Z7kSmZAXz/wXFFKQSmVILWTH
+EO23ThBPDOzvks1DXo76KjW1rTMsXHV0rTBzq/OJShfA5zGfXuKuI+60EozsO0Xh
+bSeBUjmW0wU7b/dYw2WrmeBFPvz9VhpQG8ZL3cfMvjqIYtn8qRu+gw5pMdKJOpQV
+4YcyAhusREGMWc4Lmq+kXGk4UlOy9imUNuKkT10e9IS7STZHVqoKXPs5Y2jJODrr
+S8fvbRJUvu/WLRRi0AXsC7MD5U1p+emBeLF3g95MneCbjEg=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: CN=Test CA (Do Not Trust),OU=nifi
+subject=/OU=nifi/CN=Test CA (Do Not Trust)
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-key.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-key.pem
new file mode 100644
index 0000000..f288cda
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-key.pem
@@ -0,0 +1,84 @@
+Bag Attributes
+ friendlyName: user1-key
+ localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 38 38 33 36
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIb383JvWdLvECAggA
+MBQGCCqGSIb3DQMHBAhzr4pzpi7sRASCBMhm5cb7aAuvV28Oaj9pGKPtekdWNEwr
+zKVzoy9xu0QTef/m0JxCuRW0qnfyGKzYHFjjgfxvA3deAnQYpnxDmWPJwHbw/mzx
+RM/YRTiFa45w5HulOc9t+C5N4pess7QVNYgaWp3EcbjtuwrPry0HvJFqM7JyNoK+
+g3pyZ6pZq1CZFSua4oNEu30frbiTYXKeMMa/YTNmN2jLtS3VkY1BSXYm/jtIktFw
+YCAsGz/9u4jIWt2SqWR1ieV4d3PGrvFm6yvBq1dZx/jIpHfZU0ozMEUqwZx4Hevs
+VoPmwHMI/0SDWtXgso6zGgKKkXu0BdUhR+m4C1xg8iBAFWQxrNASQb+q6RcCymFs
+j0nDe9PdS6w764KgkcRPv5xo2kEqULy1D/gXxAbSWq9luvG1ljJ/6gvdg8StFIx0
+ugAgywm9/++TAiM/OU4fxkFF0D0QhHbuwBVynbUHdOFSclrEZ4vzyW+1VUf+Z8KT
+u4YicaSAXY6reEYp2Qcux93OKEqQ62uM7cMI3QItKqbSX+WokPev1iKgjqMaqAUU
+jtypACu+LwANQmTkWUaLGdAHanKhuXiYmt1wMLbQ0U2kOEZ83si8sBerKI1qUOh7
+0ZFqOrIhRxZH0OErPBLyBER41OMHtlTdKEFHDJAZ5emwIFNV23dHM9I401PfFeHb
+F1xLl30GThKC/xyUWmkbTUKQ/4GJZPAhLKvOQCbWiMmTpBeCdyADIQO4V4RrGuzT
+UwAdhfMkMPbyi25iLtVxhm7PUN9ywhbj/KzPMkc/1/M8yUw3gzo7GGBPEiOxNdc/
+sqeG69tn/P2qocvuH646zSO7IgcOcadrGpzZhana0nt1SEOqAFg379NXNXZPmhzW
+BOFj5W2PlWe9cfBrQxbFkF0F+RIrTnwYUyJCpqTgJkIPtvmwDPODFAwvPvMPal1a
+AjsqucMEvDY5lHMYyPA3/heneO9oCavrJEt1wKS0MCdNVN4a8hEQsmCz71MaYEiI
+G1/t1jVIFc7N8zGApfuzPHnaquRnkdlMaEArJDkXLi0m4OC2rVXoJrlqtJAzkT/8
+qzG030F21G/STOpjYjKjqU+woEmT+ZmLGNCme5oBAo3OQbIe2Jf5uU5jdlh+3PnO
+QBES7sMPH9TlMauGKd6s6+MHB43YOQj4PpkLYWdnK8GTiPqSrx4/gZipyL8ZvY7V
+2wPJqE3nxQleWoy8Y6NVuph0LM8dhcmdGPo8sw0wm0Q2f+fG/L7j5BVuhYB66YNR
+pxNrNKu4KWfmye5XuZLK6DJvPZUu5C8zNQedt8853zacsjypzfJzQRmEav3p1oL8
+2zReH8MyXK6VSBEPS+3u/K/I6oqUXyhzIsf/K4uXkIj4WcQeionPtk7ibcA5nAo0
+aEQFNze889Ns8wOPicswnTk4SffS6adM+1eJ+BmMVWAAs+LfW84hJkvlP5ik4UWZ
+Fr0YLDkXLB71NmzhA7jVP+wnZtRjurcyLabT3p4u4t+eBnwLUCU9Mk5M1Y1hnR2K
+viioDqvla2W1WfC9uPsdq5+5ufUYRa79fZjne+YY8Yyh/Vyf7cXKiNo//1t3U++x
+TE1xsQvr4y40MZowemEZav215/R1m7ZbPWYOn2dz6Qv6qAWyiAcCuo9hqwpSsVwg
+4TM=
+-----END ENCRYPTED PRIVATE KEY-----
+Bag Attributes
+ friendlyName: user1-key
+ localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 38 38 33 36
+subject=/OU=nifi/CN=user1
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIKAWfClyTXAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyNFoXDTQ2MDUwNDE4MzIyNFowHzENMAsGA1UECwwEbmlmaTEOMAwG
+A1UEAwwFdXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKSsvi
+WSrOIDjF+drgVnrB1QYk1dNeQp64nE7ffzlPoEOWbNQzho+JTp1D9XI9+IBUmSTW
+f4JeYDs0gTpbfwzVmsLI30u/a0wUgERM3+8fl9XwrSJ4blkG4A8az4i3CFjObOYA
+6znDclHLGcmWthwjxQ50n/BjTUGHJFpK/1/uLLgfeJreP73RdTm8fPMRj9H1JhpV
+/UsP4w0EJX3sr2acKW34w+edkQgbGxxg2+dAokb/ODrO6/wntbYaFJguCEe5jQL+
+bfSVMiix99RjTeflFaKU0fQI0GYbcf6wmz9JUEvX9JXiclVyu9daV6jUgKJcg6SJ
+Aqjx5boVrUFH1J4zAgMBAAGjfDB6MB0GA1UdDgQWBBRjObpZQdsXe5pq7k501MOU
+5ChXezAfBgNVHSMEGDAWgBTbpLdIynbiSsoPBfnP949MNgHJxzAOBgNVHQ8BAf8E
+BAMCA/gwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBADPa3w6bgNuY8oTRxzinXRCJKFFiVDM0SI3K0qEo
+4Evg5np1xgIou6p4k9QHAmbb0wnVdOJQ+74PXpm1Z7kSmZAXz/wXFFKQSmVILWTH
+EO23ThBPDOzvks1DXo76KjW1rTMsXHV0rTBzq/OJShfA5zGfXuKuI+60EozsO0Xh
+bSeBUjmW0wU7b/dYw2WrmeBFPvz9VhpQG8ZL3cfMvjqIYtn8qRu+gw5pMdKJOpQV
+4YcyAhusREGMWc4Lmq+kXGk4UlOy9imUNuKkT10e9IS7STZHVqoKXPs5Y2jJODrr
+S8fvbRJUvu/WLRRi0AXsC7MD5U1p+emBeLF3g95MneCbjEg=
+-----END CERTIFICATE-----
+Bag Attributes
+ friendlyName: CN=Test CA (Do Not Trust),OU=nifi
+subject=/OU=nifi/CN=Test CA (Do Not Trust)
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.jks
new file mode 100644
index 0000000..94ddf05
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.jks
Binary files differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.p12 b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.p12
new file mode 100644
index 0000000..47e2773
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.p12
Binary files differ
