NOTICE: This directory contains keys and certificates for development and testing purposes only.
Never use these keystores and truststores in a real-world scenario where actual security is needed.
The CA and private keys (including their protection passwords) have been published on the Internet, so they should never be trusted.
Hostname / DN | File | Description | Format | Password |
---|---|---|---|---|
- | ca-cert.pem | CA public cert | PEM (unencrypted) | N/A |
- | ca-key.pem | CA private (signing) key | PEM | password |
- | ca-ts.jks | CA cert truststore (shared by clients and servers) | JKS | password |
- | ca-ts.p12 | CA cert truststore (shared by clients and servers) | PKCS12 | password |
registry, localhost | registry-cert.pem | NiFi Registry server public cert | PEM (unencrypted) | N/A |
registry, localhost | registry-key.pem | NiFi Registry server private key | PEM | password |
registry, localhost | registry-ks.jks | NiFi Registry server key/cert keystore | JKS | password |
registry, localhost | registry-ks.p12 | NiFi Registry server key/cert keystore | PKCS12 | password |
CN=user1, OU=nifi | user1-cert.pem | client (user=“user1”) public cert | PEM (unencrypted) | N/A |
CN=user1, OU=nifi | user1-key.pem | client (user=“user1”) private key | PEM | password |
CN=user1, OU=nifi | user1-ks.jks | client (user=“user1”) key/cert keystore | JKS | password |
CN=user1, OU=nifi | user1-ks.p12 | client (user=“user1”) key/cert keystore | PKCS12 | password |
If we need to add a service or user to our test environment that requires a cert signed by the same CA, here are the steps for generating additional keys for this directory that are signed by the same CA key.
Requirements:
If you do not have docker, you can substitute the nifi-toolkit binary, which is available for download from https://nifi.apache.org and should run on any platform with Java 1.8.
The steps for generating a new service key/cert pair are (using proxy
as the example service):
# make working directory WD="/tmp/test-keys-$(date +"%Y%m%d-%H%M%S")" mkdir "$WD" cd "$WD" # copy existing CA key/cert pair to working directory, rename to default tls-toolkit names cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem ./nifi-key.key cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem ./nifi-cert.pem # use NiFi Toolkit Docker image to generate new keys/certs docker run -v "$WD":/tmp -w /tmp apache/nifi-toolkit:latest tls-toolkit standalone \ --hostnames proxy \ --subjectAlternativeNames localhost \ --nifiDnSuffix ", OU=nifi" \ --keyStorePassword password \ --trustStorePassword password \ --days 9999 \ -O # switch to output directory, create final output directory cd "$WD" mkdir keys # copy new service key/cert to final output dir in all formats keytool -importkeystore \ -srckeystore proxy/keystore.jks -srcstoretype jks -srcstorepass password -srcalias nifi-key \ -destkeystore keys/proxy-ks.jks -deststoretype jks -deststorepass password -destalias proxy-key keytool -importkeystore \ -srckeystore keys/proxy-ks.jks -srcstoretype jks -srcstorepass password \ -destkeystore keys/proxy-ks.p12 -deststoretype pkcs12 -deststorepass password openssl pkcs12 -in keys/proxy-ks.p12 -passin pass:password -out keys/proxy-key.pem -passout pass:password openssl pkcs12 -in keys/proxy-ks.p12 -passin pass:password -out keys/proxy-cert.pem -nokeys echo echo "New keys written to ${WD}/keys" echo "Copy to NiFi Registry test keys dir by running: " echo " cp \"$WD/keys/*\" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/"
You can verify the contents of the new keystore (and that the signature is done by the correct CA) using the following command:
keytool -list -v -keystore "$WD/keys/proxy-ks.jks" -storepass password
If you are satisfied with the results, you can copy the files from /tmp/test-keys-YYYYMMDD-HHMMSS/keys
to this directory:
cp "$WD/keys/*" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/
The steps for generating a new user key/cert pair are (using user2
as the example user):
# make working directory WD="/tmp/test-keys-$(date +"%Y%m%d-%H%M%S")" mkdir "$WD" cd "$WD" # copy existing CA key/cert pair to working directory, rename to default tls-toolkit names cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem ./nifi-key.key cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem ./nifi-cert.pem # use NiFi Toolkit Docker image to generate new keys/certs docker run -v "$WD":/tmp -w /tmp apache/nifi-toolkit:latest tls-toolkit standalone \ --clientCertDn "CN=user2, OU=nifi" \ --clientCertPassword password \ --days 9999 \ -O # switch to output directory, create final output directory cd "$WD" mkdir keys # transform tls-toolkit output to final output keytool -importkeystore \ -srckeystore CN=user2_OU=nifi.p12 -srcstoretype PKCS12 -srcstorepass password -srcalias nifi-key \ -destkeystore keys/user2-ks.jks -deststoretype JKS -deststorepass password -destalias user2-key keytool -importkeystore \ -srckeystore keys/user2-ks.jks -srcstoretype jks -srcstorepass password \ -destkeystore keys/user2-ks.p12 -deststoretype pkcs12 -deststorepass password openssl pkcs12 -in keys/user2-ks.p12 -passin pass:password -out keys/user2-key.pem -passout pass:password openssl pkcs12 -in keys/user2-ks.p12 -passin pass:password -out keys/user2-cert.pem -nokeys echo echo "New keys written to ${WD}/keys" echo "Copy to NiFi Registry test keys dir by running: " echo " cp \"$WD/keys/*\" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/"
You can verify the contents of the new keystore (and that the signature is done by the correct CA) using the following command:
keytool -list -v -keystore "$WD/keys/user2-ks.jks" -storepass password
If you are satisfied with the results, you can copy the files from /tmp/test-keys-YYYYMMDD-HHMMSS/keys
to this directory:
cp "$WD/keys/*" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/
In case you need to regenerate this entire directory, here are the steps that were used to first create it. Follow these steps in order to recreate it.
Requirements:
If you do not have docker, you can substitute the nifi-toolkit binary, which is available for download from https://nifi.apache.org and should run on any platform with Java 1.8.
The steps for regenerating these test keys are:
# make working directory WD="/tmp/test-keys-$(date +"%Y%m%d-%H%M%S")" mkdir "$WD" cd "$WD" # use NiFi Toolkit Docker image to generate new keys/certs docker run -v "$WD":/tmp -w /tmp apache/nifi-toolkit:latest tls-toolkit standalone \ --certificateAuthorityHostname "Test CA (Do Not Trust)" \ --hostnames registry \ --subjectAlternativeNames localhost \ --nifiDnSuffix ", OU=nifi" \ --keyStorePassword password \ --trustStorePassword password \ --clientCertDn "CN=user1, OU=nifi" \ --clientCertPassword password \ --days 9999 \ -O # switch to output directory, create final output directory cd "$WD" mkdir keys # copy CA key/cert to final output dir in all formats cp nifi-key.key keys/ca-key.pem cp nifi-cert.pem keys/ca-cert.pem keytool -importkeystore \ -srckeystore registry/truststore.jks -srcstoretype jks -srcstorepass password -srcalias nifi-cert \ -destkeystore keys/ca-ts.jks -deststoretype jks -deststorepass password -destalias ca-cert keytool -importkeystore \ -srckeystore keys/ca-ts.jks -srcstoretype jks -srcstorepass password \ -destkeystore keys/ca-ts.p12 -deststoretype pkcs12 -deststorepass password # copy registry service key/cert to final output dir in all formats keytool -importkeystore \ -srckeystore registry/keystore.jks -srcstoretype jks -srcstorepass password -srcalias nifi-key \ -destkeystore keys/registry-ks.jks -deststoretype jks -deststorepass password -destalias registry-key keytool -importkeystore \ -srckeystore keys/registry-ks.jks -srcstoretype jks -srcstorepass password \ -destkeystore keys/registry-ks.p12 -deststoretype pkcs12 -deststorepass password openssl pkcs12 -in keys/registry-ks.p12 -passin pass:password -out keys/registry-key.pem -passout pass:password openssl pkcs12 -in keys/registry-ks.p12 -passin pass:password -out keys/registry-cert.pem -nokeys # copy user1 client key/cert to final output dir in all formats keytool -importkeystore \ -srckeystore CN=user1_OU=nifi.p12 -srcstoretype PKCS12 -srcstorepass password -srcalias nifi-key \ -destkeystore keys/user1-ks.jks -deststoretype JKS -deststorepass password -destkeypass password -destalias user1-key keytool -importkeystore \ -srckeystore keys/user1-ks.jks -srcstoretype jks -srcstorepass password \ -destkeystore keys/user1-ks.p12 -deststoretype pkcs12 -deststorepass password openssl pkcs12 -in keys/user1-ks.p12 -passin pass:password -out keys/user1-key.pem -passout pass:password openssl pkcs12 -in keys/user1-ks.p12 -passin pass:password -out keys/user1-cert.pem -nokeys echo echo "New keys written to ${WD}/keys" echo "Copy to NiFi Registry test keys dir by running: " echo " cp -f \"$WD/keys/*\" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/"
You should now have a /tmp/test-keys-YYYYMMDD-HHMMSS/keys
directory with all the necessary keys for testing with various tools.
You can verify the contents of a keystore using the following command:
keytool -list -v -keystore "$WD/keys/registry-ks.jks" -storepass password
If you are satisfied with the results, you can copy the files from /tmp/test-keys-YYYYMMDD-HHMMSS/keys
to this directory:
cp -f "$WD/keys/*" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/