Generating self-signed certificates for NiFi over HTTPS

Question

I have been following these two resources for generating my certificates:
https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_operation_modes https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-NiFi-to-Integrate-with-a-Secure-NiFi/ta-p/247765

Both look pretty straight forward. To note I'm running NiFi 1.10.0 on a remote server (no domain), Debian 9 (fresh instance) with java8. I have no domain name associated with the server just a public IP address.

On the server I tried generating my certificates with the following commands:

bin/tls-toolkit.sh standalone -n 'localhost' -C 'CN=sys_admin,OU=NIFI'
bin/tls-toolkit.sh standalone -n '0.0.0.0' -C 'CN=sys_admin,OU=NIFI'
bin/tls-toolkit.sh standalone -n 'my.server.ip.address' -C 'CN=sys_admin,OU=NIFI'
bin/tls-toolkit.sh standalone -n 'my.server.ip.address:9443' -C 'CN=sys_admin,OU=NIFI'

I updated my authorisers file accordingly. However I always get NET::ERR_CERT_REVOKED error.

Running:

sudo openssl s_client -connect 0.0.0.0:9443 -showcerts -state -debug

I get the error:

Verification error: self signed certificate in certificate chain

Answer 1

I assume you already know what OpenSSL is. So try the below commands to do it.

1. openssl req -x509 -newkey rsa:4096 -keyout key1.pem -out cert1.pem -days 3650 -subj "/C=US/ST=NAME_OF_STATE/L=NAME_OF_CITY/O=NAME_OF_ORGANIZATION/OU=NAME_OF_ORGANIZATION_UNIT/CN=*.nifi.apache.org/emailAddress=sample@example.com"

2. openssl x509 -outform der -in cert1.pem -out cert1.crt

Explanation of Command One: You will get 2 output files. One is key1.pem and the second is cert1.pem which is generated using -out option. If you see closely the -subj option you will find the number of options quoted

• /C to specify the Country Name (2 letter code). For example, IN and US. This is mandatory.
• /ST to specify the State or Province Name (full name). For example, Ohio and Uttar Pradesh. This is mandatory.
• /L to specify the Locality Name (eg, city). For example, Cleveland and Noida. This is mandatory.
• /O to specify the Organization Name (eg, company). For example, Google & Yahoo. This is mandatory.
• /OU to specify the Organizational Unit Name (eg, section). For example, Engineering. This is mandatory.
• /CN to specify the Common Name (e.g. server FQDN or YOUR name). For example, localhost and 127.0.0.1. This is mandatory.
• /emailAddress to specify the Email Address. For example, sample@example.com. This is not mandatory.

Explanation of Command Second: Cert1.pem needs to be converted into .CRT file to import it into the trust store with the help command in the mail chain.

Answer 2

I wasn't aware that a cert could bind to just an ip address.

However it sounds like it's not the best idea.

Here is a related question How to Generate a Self Signed SSL Certificate Bound to IP Address that backed away from binding a cert to an ip address.

I know it does not really answer your question but it sounds like you would be much better off getting a domain name and binding your self-signed cert to that. Alternatively you can get a real domain. I use Namecheap. It's really not very expensive. Especially if you pick one of the off-the-beaten-path TLD's. Also I would recommend using Let's Encrypt with Certbot to generate a real public cert. It's free and you will not have to worry about adding your fake CA or Intermediate cert to every machine you want to trust your site. Certbot pretty much makes generating public certs about as easy as it can get.