[GitHub] alopresto closed pull request #153: NIFIREG-220 New test certs

[GitBox <gi...@apache.org>]

alopresto closed pull request #153: NIFIREG-220 New test certs
URL: https://github.com/apache/nifi-registry/pull/153
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureFile.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureFile.properties
index 3ea53987..cea51c6e 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureFile.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureFile.properties
@@ -28,9 +28,9 @@ nifi.registry.client.properties.file: src/test/resources/conf/secure-file/nifi-r
 
 # Embedded Server SSL Context Config
 server.ssl.client-auth: need
-server.ssl.key-store: ./target/test-classes/keys/localhost-ks.jks
-server.ssl.key-store-password: localhostKeystorePassword
-server.ssl.key-password: localhostKeystorePassword
+server.ssl.key-store: ./target/test-classes/keys/registry-ks.jks
+server.ssl.key-store-password: password
+server.ssl.key-password: password
 server.ssl.protocol: TLS
-server.ssl.trust-store: ./target/test-classes/keys/localhost-ts.jks
-server.ssl.trust-store-password: localhostTruststorePassword
+server.ssl.trust-store: ./target/test-classes/keys/ca-ts.jks
+server.ssl.trust-store-password: password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureKerberos.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureKerberos.properties
index 6ce3665c..fb1c9282 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureKerberos.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureKerberos.properties
@@ -27,10 +27,10 @@ nifi.registry.client.properties.file: src/test/resources/conf/secure-kerberos/ni
 
 
 # Embedded Server SSL Context Config
-#server.ssl.client-auth: need  # LDAP-configured server does not require two-way TLS
-server.ssl.key-store: ./target/test-classes/keys/localhost-ks.jks
-server.ssl.key-store-password: localhostKeystorePassword
-server.ssl.key-password: localhostKeystorePassword
+#server.ssl.client-auth: need  # server does not require two-way TLS
+server.ssl.key-store: ./target/test-classes/keys/registry-ks.jks
+server.ssl.key-store-password: password
+server.ssl.key-password: password
 server.ssl.protocol: TLS
-server.ssl.trust-store: ./target/test-classes/keys/localhost-ts.jks
-server.ssl.trust-store-password: localhostTruststorePassword
+server.ssl.trust-store: ./target/test-classes/keys/ca-ts.jks
+server.ssl.trust-store-password: password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureLdap.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureLdap.properties
index ffcc43ed..25b749d9 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureLdap.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/application-ITSecureLdap.properties
@@ -28,12 +28,12 @@ nifi.registry.client.properties.file: src/test/resources/conf/secure-ldap/nifi-r
 
 # Embedded Server SSL Context Config
 #server.ssl.client-auth: need  # LDAP-configured server does not require two-way TLS
-server.ssl.key-store: ./target/test-classes/keys/localhost-ks.jks
-server.ssl.key-store-password: localhostKeystorePassword
-server.ssl.key-password: localhostKeystorePassword
+server.ssl.key-store: ./target/test-classes/keys/registry-ks.jks
+server.ssl.key-store-password: password
+server.ssl.key-password: password
 server.ssl.protocol: TLS
-server.ssl.trust-store: ./target/test-classes/keys/localhost-ts.jks
-server.ssl.trust-store-password: localhostTruststorePassword
+server.ssl.trust-store: ./target/test-classes/keys/ca-ts.jks
+server.ssl.trust-store-password: password
 
 # Embedded LDAP Config
 spring.ldap.embedded.base-dn: dc=example,dc=com
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-file/nifi-registry-client.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-file/nifi-registry-client.properties
index 8eb6b56e..5a31413b 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-file/nifi-registry-client.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-file/nifi-registry-client.properties
@@ -16,10 +16,10 @@
 #
 
 # client security properties #
-nifi.registry.security.keystore=./target/test-classes/keys/client-ks.jks
+nifi.registry.security.keystore=./target/test-classes/keys/user1-ks.jks
 nifi.registry.security.keystoreType=JKS
-nifi.registry.security.keystorePasswd=clientKeystorePassword
-nifi.registry.security.keyPasswd=u1Pass
-nifi.registry.security.truststore=./target/test-classes/keys/localhost-ts.jks
+nifi.registry.security.keystorePasswd=password
+nifi.registry.security.keyPasswd=password
+nifi.registry.security.truststore=./target/test-classes/keys/ca-ts.jks
 nifi.registry.security.truststoreType=JKS
-nifi.registry.security.truststorePasswd=localhostTruststorePassword
+nifi.registry.security.truststorePasswd=password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/nifi-registry-client.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/nifi-registry-client.properties
index f431ccce..59f1243b 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/nifi-registry-client.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-kerberos/nifi-registry-client.properties
@@ -17,6 +17,6 @@
 
 # client security properties #
 # Don't use a client cert for one-way TLS. Client identity will be provided via Kerberos SPNEGO to get JWT
-nifi.registry.security.truststore=./target/test-classes/keys/localhost-ts.jks
+nifi.registry.security.truststore=./target/test-classes/keys/ca-ts.jks
 nifi.registry.security.truststoreType=JKS
-nifi.registry.security.truststorePasswd=localhostTruststorePassword
+nifi.registry.security.truststorePasswd=password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-ldap/nifi-registry-client.properties b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-ldap/nifi-registry-client.properties
index 68cb0f9f..996e6d55 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-ldap/nifi-registry-client.properties
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/conf/secure-ldap/nifi-registry-client.properties
@@ -17,6 +17,6 @@
 
 # client security properties #
 # Don't use a client cert for one-way TLS. Client identity will be provided via LDAP user/pass to get JWT
-nifi.registry.security.truststore=./target/test-classes/keys/localhost-ts.jks
+nifi.registry.security.truststore=./target/test-classes/keys/ca-ts.jks
 nifi.registry.security.truststoreType=JKS
-nifi.registry.security.truststorePasswd=localhostTruststorePassword
+nifi.registry.security.truststorePasswd=password
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/README.md b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/README.md
index c3059cfb..24460cd7 100644
--- a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/README.md
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/README.md
@@ -12,36 +12,234 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 -->
-# Integration Test Keys
+# Test Keys
 
-The integration tests that run a secure NiFi require keystores and truststores for the server and client in order
-to establish a two-way TLS connection.
+The automated security tests require keys and certificates for TLS connections. 
+The keys in this directory can be used for that purpose.
 
-The keys/certs for these tests were generated with the tls-toolkit included with NiFi Toolkit v1.4.0.
+***
 
-The steps for generating replacements are:
+**NOTICE**: This directory contains keys and certificates for *development and testing* purposes only.
 
-    # use NiFi tls-toolkit to generate CA, server key/cert, client key/cert
-    ./nifi-toolkit-1.4.0/bin/tls-toolkit.sh standalone --certificateAuthorityHostname localhost --hostnames localhost --nifiDnSuffix ", OU=nifi" --keyStorePassword localhostKeystorePassword --trustStorePassword localhostTruststorePassword --clientCertDn "CN=user1, OU=nifi" --clientCertPassword u1Pass --days 3650 --outputDirectory nifireg-integrationtest
+**Never use these keystores and truststores in a real-world scenario where actual security is needed.** 
 
-    # change to tls-toolkit output directory
-    cd ./nifireg-integrationtest
+The CA and private keys (including their protection passwords) have been published on the Internet, so they should never be trusted.
 
-    # copy server's key/trust stores
-    mkdir keys
-    cp localhost/keystore.jks keys/localhost-ks.jks
-    cp localhost/truststore.jks keys/localhost-ts.jks
+***  
 
-    # create a Java Key Store (JKS) from the client key
-    keytool -importkeystore -destkeystore keys/client-ks.jks -deststorepass clientKeystorePassword -destkeypass u1Pass -srckeystore CN=user1_OU=nifi.p12 -srcstorepass u1Pass -srcstoretype PKCS12
+## Directory Contents
 
+### Certificate Authority (CA)
 
-You should now have a directory with the following contents:
+| Hostname / DN | File | Description | Format | Password |
+| --- | --- | --- | --- | --- |
+| - | ca-cert.pem | CA public cert | PEM (unencrypted) | N/A |
+| - | ca-key.pem | CA private (signing) key | PEM | password |
+| - | ca-ts.jks | CA cert truststore (shared by clients and servers) | JKS | password |
+| - | ca-ts.p12 | CA cert truststore (shared by clients and servers) | PKCS12 | password |
+| registry, localhost | registry-cert.pem | NiFi Registry server public cert | PEM (unencrypted) | N/A |
+| registry, localhost | registry-key.pem | NiFi Registry server private key | PEM | password |
+| registry, localhost | registry-ks.jks | NiFi Registry server key/cert keystore | JKS | password |
+| registry, localhost | registry-ks.p12 | NiFi Registry server key/cert keystore | PKCS12 | password |
+| CN=user1, OU=nifi | user1-cert.pem | client (user="user1") public cert | PEM (unencrypted) | N/A |
+| CN=user1, OU=nifi | user1-key.pem | client (user="user1") private key | PEM | password |
+| CN=user1, OU=nifi | user1-ks.jks | client (user="user1") key/cert keystore | JKS | password |
+| CN=user1, OU=nifi | user1-ks.p12 | client (user="user1") key/cert keystore | PKCS12 | password |
 
-    keys/
-     +-- client-ks.jks      # client keystore: keystorePass=clientKeystorePassword, keyPass=u1Pass
-     +-- localhost-ks.jks   # server keystore: keystorePass=localhostKeystorePassword, keyPass=localhostKeystorePassword
-     +-- localhost-ts.jks   # server/client truststore (contains CA): truststorePass=localhostTruststorePassword
+## Generating Additional Test Keys/Certs
 
-Copy these files to the test/resources/keys/ directory.
+If we need to add a service or user to our test environment that requires a cert signed by the same CA, here are the steps for generating additional keys for this directory that are signed by the same CA key.
 
+Requirements:
+
+- docker
+- keytool (included with Java)
+- openssl (included/available on most platforms)
+
+If you do not have docker, you can substitute the nifi-toolkit binary, which is available for download from https://nifi.apache.org and should run on any platform with Java 1.8. 
+
+### New Service Keys
+
+The steps for generating a new service key/cert pair are (using `proxy` as the example service):
+
+```
+# make working directory
+WD="/tmp/test-keys-$(date +"%Y%m%d-%H%M%S")"
+mkdir "$WD"
+cd "$WD"
+
+# copy existing CA key/cert pair to working directory, rename to default tls-toolkit names
+cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem ./nifi-key.key
+cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem ./nifi-cert.pem
+
+# use NiFi Toolkit Docker image to generate new keys/certs
+docker run -v "$WD":/tmp -w /tmp apache/nifi-toolkit:latest tls-toolkit standalone \
+      --hostnames proxy \
+      --subjectAlternativeNames localhost \
+      --nifiDnSuffix ", OU=nifi" \
+      --keyStorePassword password \
+      --trustStorePassword password \
+      --days 9999 \
+      -O
+
+# switch to output directory, create final output directory
+cd "$WD"
+mkdir keys
+
+# copy new service key/cert to final output dir in all formats
+keytool -importkeystore \
+      -srckeystore proxy/keystore.jks -srcstoretype jks -srcstorepass password -srcalias nifi-key \
+      -destkeystore keys/proxy-ks.jks -deststoretype jks -deststorepass password -destalias proxy-key
+keytool -importkeystore \
+      -srckeystore keys/proxy-ks.jks -srcstoretype jks -srcstorepass password \
+      -destkeystore keys/proxy-ks.p12 -deststoretype pkcs12 -deststorepass password
+openssl pkcs12 -in keys/proxy-ks.p12 -passin pass:password -out keys/proxy-key.pem -passout pass:password
+openssl pkcs12 -in keys/proxy-ks.p12 -passin pass:password -out keys/proxy-cert.pem -nokeys
+
+echo
+echo "New keys written to ${WD}/keys"
+echo "Copy to NiFi Registry test keys dir by running: "
+echo "    cp \"$WD/keys/*\" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/"
+```
+
+You can verify the contents of the new keystore (and that the signature is done by the correct CA) using the following command:
+
+    keytool -list -v -keystore "$WD/keys/proxy-ks.jks" -storepass password
+
+If you are satisfied with the results, you can copy the files from `/tmp/test-keys-YYYYMMDD-HHMMSS/keys` to this directory:
+ 
+    cp "$WD/keys/*" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/
+
+### New Client or User Keys
+
+The steps for generating a new user key/cert pair are (using `user2` as the example user):
+
+```
+# make working directory
+WD="/tmp/test-keys-$(date +"%Y%m%d-%H%M%S")"
+mkdir "$WD"
+cd "$WD"
+
+# copy existing CA key/cert pair to working directory, rename to default tls-toolkit names
+cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem ./nifi-key.key
+cp /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem ./nifi-cert.pem
+
+# use NiFi Toolkit Docker image to generate new keys/certs
+docker run -v "$WD":/tmp -w /tmp apache/nifi-toolkit:latest tls-toolkit standalone \
+      --clientCertDn "CN=user2, OU=nifi" \
+      --clientCertPassword password \
+      --days 9999 \
+      -O
+
+# switch to output directory, create final output directory
+cd "$WD"
+mkdir keys
+
+# transform tls-toolkit output to final output
+keytool -importkeystore \
+      -srckeystore CN=user2_OU=nifi.p12 -srcstoretype PKCS12 -srcstorepass password -srcalias nifi-key \
+      -destkeystore keys/user2-ks.jks -deststoretype JKS -deststorepass password -destalias user2-key
+keytool -importkeystore \
+      -srckeystore keys/user2-ks.jks -srcstoretype jks -srcstorepass password \
+      -destkeystore keys/user2-ks.p12 -deststoretype pkcs12 -deststorepass password
+openssl pkcs12 -in keys/user2-ks.p12 -passin pass:password -out keys/user2-key.pem -passout pass:password
+openssl pkcs12 -in keys/user2-ks.p12 -passin pass:password -out keys/user2-cert.pem -nokeys
+
+echo
+echo "New keys written to ${WD}/keys"
+echo "Copy to NiFi Registry test keys dir by running: "
+echo "    cp \"$WD/keys/*\" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/"
+```
+
+You can verify the contents of the new keystore (and that the signature is done by the correct CA) using the following command:
+
+    keytool -list -v -keystore "$WD/keys/user2-ks.jks" -storepass password
+
+If you are satisfied with the results, you can copy the files from `/tmp/test-keys-YYYYMMDD-HHMMSS/keys` to this directory:
+ 
+    cp "$WD/keys/*" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/
+
+
+## Regenerating All Test Keys/Certs
+
+In case you need to regenerate this entire directory, here are the steps that were used to first create it. 
+Follow these steps in order to recreate it.
+
+Requirements:
+
+- docker
+- keytool (included with Java)
+- openssl (included/available on most platforms)
+
+If you do not have docker, you can substitute the nifi-toolkit binary, which is available for download from https://nifi.apache.org and should run on any platform with Java 1.8. 
+
+The steps for regenerating these test keys are:
+
+```
+# make working directory
+WD="/tmp/test-keys-$(date +"%Y%m%d-%H%M%S")"
+mkdir "$WD"
+cd "$WD"
+
+# use NiFi Toolkit Docker image to generate new keys/certs
+docker run -v "$WD":/tmp -w /tmp apache/nifi-toolkit:latest tls-toolkit standalone \
+      --certificateAuthorityHostname "Test CA (Do Not Trust)" \
+      --hostnames registry \
+      --subjectAlternativeNames localhost \
+      --nifiDnSuffix ", OU=nifi" \
+      --keyStorePassword password \
+      --trustStorePassword password \
+      --clientCertDn "CN=user1, OU=nifi" \
+      --clientCertPassword password \
+      --days 9999 \
+      -O
+
+# switch to output directory, create final output directory
+cd "$WD"
+mkdir keys
+
+# copy CA key/cert to final output dir in all formats
+cp nifi-key.key keys/ca-key.pem
+cp nifi-cert.pem keys/ca-cert.pem
+keytool -importkeystore \
+      -srckeystore registry/truststore.jks -srcstoretype jks -srcstorepass password -srcalias nifi-cert \
+      -destkeystore keys/ca-ts.jks -deststoretype jks -deststorepass password -destalias ca-cert
+keytool -importkeystore \
+      -srckeystore keys/ca-ts.jks -srcstoretype jks -srcstorepass password \
+      -destkeystore keys/ca-ts.p12 -deststoretype pkcs12 -deststorepass password
+
+# copy registry service key/cert to final output dir in all formats
+keytool -importkeystore \
+      -srckeystore registry/keystore.jks -srcstoretype jks -srcstorepass password -srcalias nifi-key \
+      -destkeystore keys/registry-ks.jks -deststoretype jks -deststorepass password -destalias registry-key
+keytool -importkeystore \
+      -srckeystore keys/registry-ks.jks -srcstoretype jks -srcstorepass password \
+      -destkeystore keys/registry-ks.p12 -deststoretype pkcs12 -deststorepass password
+openssl pkcs12 -in keys/registry-ks.p12 -passin pass:password -out keys/registry-key.pem -passout pass:password
+openssl pkcs12 -in keys/registry-ks.p12 -passin pass:password -out keys/registry-cert.pem -nokeys
+
+# copy user1 client key/cert to final output dir in all formats
+keytool -importkeystore \
+      -srckeystore CN=user1_OU=nifi.p12 -srcstoretype PKCS12 -srcstorepass password -srcalias nifi-key \
+      -destkeystore keys/user1-ks.jks -deststoretype JKS -deststorepass password -destkeypass password -destalias user1-key
+keytool -importkeystore \
+      -srckeystore keys/user1-ks.jks -srcstoretype jks -srcstorepass password \
+      -destkeystore keys/user1-ks.p12 -deststoretype pkcs12 -deststorepass password
+openssl pkcs12 -in keys/user1-ks.p12 -passin pass:password -out keys/user1-key.pem -passout pass:password
+openssl pkcs12 -in keys/user1-ks.p12 -passin pass:password -out keys/user1-cert.pem -nokeys
+
+echo
+echo "New keys written to ${WD}/keys"
+echo "Copy to NiFi Registry test keys dir by running: "
+echo "    cp -f \"$WD/keys/*\" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/"
+```
+
+You should now have a `/tmp/test-keys-YYYYMMDD-HHMMSS/keys` directory with all the necessary keys for testing with various tools.
+
+You can verify the contents of a keystore using the following command:
+
+    keytool -list -v -keystore "$WD/keys/registry-ks.jks" -storepass password
+
+If you are satisfied with the results, you can copy the files from `/tmp/test-keys-YYYYMMDD-HHMMSS/keys` to this directory:
+
+    cp -f "$WD/keys/*" /path/to/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem
new file mode 100644
index 00000000..c882f4e5
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem
new file mode 100644
index 00000000..27d34eb1
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAi/uVWAZEcZpiYqR5MmkXMCnpADsCeKT+7Vr7WeAYVZ/17qVG
+RJfpRL6c9sNEsmlKQ7Rz7+/wHAAoGIdQVoYX1dXti9f3bH8Zvf8WJ1K74cBb/D+R
+4hnw8e9dsy1O8S6v6djWFIO+yx3DWcBgAH0Mbbod1FKDlzUNiAcuT1YINa4iylSf
+fVgJvSVK1ZZsczneLzEt95Xch07D0/f53xuinNRSOTaq5LHF6S/MsILV7XhywkYY
+goumVFSr7NZGCQZgXwWTH6RgYvrax6EB1VxuXGPCdeeaU8e+XF5pyWwBWfgsJCOB
+DOy3MC/6zuw1ILEdtri8C6yzNbE4WIzVWTxW9wIDAQABAoIBAC3qizVBcQf2hRko
+LB0N/a4twSDzOj9Kl9hRhKsZZ8IGY0wxaFgtoDWNdL04lfsTsGl+8pycjp0QrBZH
+pGGNQJpCvtWlNKKhGleJKcIiUECfsUyPqZGJwtAJHSodzYwtLUS+fJJkGJxVmfOB
+t7vRSNdhOlGf80wQ+exJtrYNWUoJ4oIjsYwObG1b5MuRU640zeamPa2DXlu7Ai6V
+Fj7wWo5cI0Yawzb9OO/zSSM1hdP5rypQcCn7K2ybZGYNOKqanY43IDyWQj+JUysF
+S+fFSuyv2FGifgSsxpGjuXoX6+oO1PDNhCQYnQjwoenQ6SHmBIqAhKv+VRCQUCsj
+IP3ZD/kCgYEA6wYIExk1khOiBvXqlap9Bt+T43k5bp0J1x0RPJHDvXzEiVvsv0mN
+Ft/EyvWoJvwxr6mtX9uVHdblQJao/ShCipdLeDGtMbHL8NH4PefBe+mkrHr/4/Yk
+3cgofkp/OKrA6Cwrkis7ishZ/5QwjE9lcwRQuK5TPx16zomghd0VVCMCgYEAmHn/
+pWoHnp4vDqweByme3aELQ2w8TSc8smQMuuVx+x+4TuGfgQC7DhPb9Yqdy0d0AFec
+IiVVYXG4JTCAovgLAtgwQd/M33pxv6r8ji8EXa+N/5YNmQ5+bxWth2TaKKHw1nwm
+IJ3gFHyJe2WSDSBU19Ybkcw7D9xd/SkRZHfgZR0CgYEAuibj3GS6RsKgMo0zymno
+b7pFBAavk8p00dqnHWeDN6IMdZPG+FhElVqWH//luUNGA5IMzgE5ohHlMXxjy2jJ
+E8b0MvZ97P+bvlpBGp9nZENSeH9QEXqUBsqUMDvHetXcx8i8liECH1HD3yi8L1Zv
+z2MaoL0LGNG7xL3D1GOhkisCgYBfDL42yZASax1+kgDuCh4Ent28m/5DQlBuDDx7
+TYjuOOnWEoQyENiKgArAWDbhf5tqkzK7fnZpFlDqrf+il+mVTltW1UKLlXLPPrHN
+mLWqCUQFre6wGP7sFKFmI5Jzfe/6ZM4HyyLi4nd5uul+0UbSfaAWFTBEROU6aZ1z
++d6iaQKBgQClbxwJXed8LIH7sdcpUDz+sLZtcU2CBeaFvgWXN7V/pYATi2TvfN9p
+8xMNUWsdTU7+2i9skzljlJ4vjEoY3cJ3Wki6cop7k6XqMGKV5oToZjwKjWGt2sp1
+8N72VtkU2o4gvK4HMIlbDIgrmNmXqLMRa6JJcRa2FPH4Xsi6NFrQPQ==
+-----END RSA PRIVATE KEY-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.jks
new file mode 100644
index 00000000..3fe89fa0
Binary files /dev/null and b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.jks differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.p12 b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.p12
new file mode 100644
index 00000000..b5fc9e70
Binary files /dev/null and b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/ca-ts.p12 differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/client-ks.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/client-ks.jks
deleted file mode 100644
index f2e0a1ad..00000000
Binary files a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/client-ks.jks and /dev/null differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ks.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ks.jks
deleted file mode 100644
index 7421aaad..00000000
Binary files a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ks.jks and /dev/null differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ts.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ts.jks
deleted file mode 100644
index 21eb2c0b..00000000
Binary files a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/localhost-ts.jks and /dev/null differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-cert.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-cert.pem
new file mode 100644
index 00000000..026e3eb9
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-cert.pem
@@ -0,0 +1,51 @@
+Bag Attributes
+    friendlyName: registry-key
+    localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 36 32 31 34 
+subject=/OU=nifi/CN=registry
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIKAWfClyHCAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owIjENMAsGA1UECwwEbmlmaTERMA8G
+A1UEAwwIcmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4
+OYy3dRjERT7HcighqGW3eb4I0DfweWJ42/uf94/hMFSIQPo/lJetomhFSGiswRCN
+Y9ybWMaB0jPL7ksJQJLzUTKOQvH08Ml/MaiwsRHlGlD+8LqTma0jT+vdhdcypZ+B
+m5x6ozC5mZB1QqDYwXN21YR7IGYDMAdZ0OQuMreC+u7+fZ4LZLTFeKajWJSZ3fnv
+UKtYN05OUr8HZXk6Cc0vys7YZZeIQ5vKdbDjNSEt1yixfvp468KzFSNOCYtLStcL
+bDq4MBhxplQXTVJie1ofYnc8pYAG8BP1IPusfJ/NxCpk4pzSjFKC/GI0QfqcTVWA
+REUmTFpRZGykWsx0aBPFAgMBAAGjgZ0wgZowHQYDVR0OBBYEFB2WLWWv5ubjziz6
+2IfJcs3Spy2kMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMA4GA1Ud
+DwEB/wQEAwID+DAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
+BQcDATAeBgNVHREEFzAVgghyZWdpc3RyeYIJbG9jYWxob3N0MA0GCSqGSIb3DQEB
+CwUAA4IBAQAe5BReiXYEzM8ef7Wcl7DBLSh0Q5tWAl8Z4xCrOlNHjHM6GEZirJmh
+ww6W1wDth/kftZnptjxAP21SbdjzmgDRcRu2wqZSHeWP6lL53BfegE/AFaBwTlOE
+2nESoGIDl1vROMFFOnzR2ZJWmSoUDk/4oVFLZYAabUZKjfUZTjz99O7Pk4GiySrg
+c7/xKnYx8x91+jqFjpIgR/pkvrTPaPkAtgs68a5YxGT8yHH0wA1Ve+3zmqkQbg9g
+fDimZ4fgaorS0JzuqiZbIyzxu7Q6G506Lu34l5NA2qZQzdTm8g98ksli7DMazc8n
+8o68bZD9szMrvGiVCx/ujtiu2GG1y187
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: CN=Test CA (Do Not Trust),OU=nifi
+subject=/OU=nifi/CN=Test CA (Do Not Trust)
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-key.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-key.pem
new file mode 100644
index 00000000..e2e48e72
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-key.pem
@@ -0,0 +1,85 @@
+Bag Attributes
+    friendlyName: registry-key
+    localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 36 32 31 34 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIq3tPUSgTjYoCAggA
+MBQGCCqGSIb3DQMHBAjQRc2FRduPPwSCBMh1unFOz4EL+BfzTMsHc//QDhof+/ey
+4voz/DqHsPnxSXGCxDJc51OnyINIRZsIVaJVDxcKbwMtoLEVasGw54oYeTRSkJ7l
+56dTEvHHBx9/ksdcKGshCfA2hBI5YMiWXjk477+iKI7AhoHXt5azk65NUG4+CU/X
+FuqzAcXfwtktfl/nyl5U7j+Kh7cVpV0XEINUyjBiqKjTkAMn/+GMOUN0Tb/hYtZo
+P8bz8cqQiLIdoQzqVJmVkS4cXhUcD0a2wJ9ptPz+Mss4VOl7812R30kBB1figNIy
+V7hzC7vJpECQoCkqvDDfJBmyjSA5JDaVQMyXyrpP1nrRDdKOqufYbA93ojm1AA+h
+eCXWtqWcLVgUHEQz6hzrxcigyv+iR29xA58wB+/GBs2GIgrpfA5kKK9QiI1WsAT0
+B7mLEhzACtfctuWkcHsY7GEHKdweVBGkRzMFjdNpO4mYDyp9x7Xc2AVxENyfdZIA
+e3JNRMK3yQHOr4oAk1YnU7h4Dzw4dsbLetixSsPtn+5PpoulUKqd7VLqQb62Fzlt
+FquphwZesdmLZLm6igMXfAb6JzPIXg8HQGubX8MHWdbtHlkPOnZ6YQ1MOZvX8PGB
+2TY76c7O5lBU2Az/jcSSh0Y4vuf55mTLEdnvsIuwrlITitZFTM4fOpFTbP+g4MEy
+L4KtUP8TnezsNCitxQSOnzBHkZ52Ik6aL+macjS0UgPiku9P4aC0kpszAXZUuumQ
+PdgcEIH8dJ6/wvs7hBHHlR4xLbj6nOQ5rz6Cxx0Ozb+F8oi5WcwoeSUNz9z51Z52
+ENj3BQ8G672KtKRJ8h2csGt6SAH0sjjjzThiKk9e4o1/la6/6D5mQsRUxgGbZ/pw
+ewtPkFIPa9s+XRvlIu9QBKaqvIZ3aRARvtdUOiap2XOGkqPLmeLBQ8yCvqDczkwV
+f5dg8zcE817bfe5NcAUQyOrT8A+ANpjLZNwKK7B1tg5Q7S3G+u9MeSSR6xMyw+ce
+04eVo3+rtFia7gMnL1covgA46jBufl6to1AwSPHkbooVKdPUODPG8FKKpJSjHOUz
+WGNx8+QXXsvZyWw2betA6eT2lJuSfKct5QSpwImLFjH0xjwpSu0dvQK3N6IvpLkR
+lei0ATBjZ5ekRRpGowDJJlFE3LKU2BkVMikl6/c3Ap89/EKdIeN3odVtA7GPDHyy
+Vxh0sywOdatL46HI2EvMlMbIFX0BvJVZQ68BZ8UxmucrzC6G+hoVzMk18vSDm3s/
+Ydj5FiUuBSL36x9sQmzQXk2XvQscHCYnMX7H4F5TVaarfp1xQS36H3P6rUXcDRhp
++EM6P/YkQkelGIc+t2AcHwcYeISzqVIXBzMQfAaiR2YsQc/27mM/mkI+wT14WfxN
+cf47ver5OBc2xfKScp4dJpWMVe/gZEAiyVlSw5gZXGP/CbunBNVhldSl8lh/nCpc
+WJrmnRe5wyx9+OKoyEI8w9fE5c1Pwct33oeMnaKdpI8g/eDBARZkz1Tousso9a+K
+5YmqHpOhQkEMxCrhxF+yY+XmoLCIPg0B+EX5IWZfHGL5Etm5FhcijzFw86z2QHZ+
+JUINfPR1WnN8lNoUFA4w/MTv0wREeWD6cF/bzYQQDrnzdl5tznYSFF5xAEb5KrlH
+aGA=
+-----END ENCRYPTED PRIVATE KEY-----
+Bag Attributes
+    friendlyName: registry-key
+    localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 36 32 31 34 
+subject=/OU=nifi/CN=registry
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIKAWfClyHCAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owIjENMAsGA1UECwwEbmlmaTERMA8G
+A1UEAwwIcmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4
+OYy3dRjERT7HcighqGW3eb4I0DfweWJ42/uf94/hMFSIQPo/lJetomhFSGiswRCN
+Y9ybWMaB0jPL7ksJQJLzUTKOQvH08Ml/MaiwsRHlGlD+8LqTma0jT+vdhdcypZ+B
+m5x6ozC5mZB1QqDYwXN21YR7IGYDMAdZ0OQuMreC+u7+fZ4LZLTFeKajWJSZ3fnv
+UKtYN05OUr8HZXk6Cc0vys7YZZeIQ5vKdbDjNSEt1yixfvp468KzFSNOCYtLStcL
+bDq4MBhxplQXTVJie1ofYnc8pYAG8BP1IPusfJ/NxCpk4pzSjFKC/GI0QfqcTVWA
+REUmTFpRZGykWsx0aBPFAgMBAAGjgZ0wgZowHQYDVR0OBBYEFB2WLWWv5ubjziz6
+2IfJcs3Spy2kMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMA4GA1Ud
+DwEB/wQEAwID+DAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
+BQcDATAeBgNVHREEFzAVgghyZWdpc3RyeYIJbG9jYWxob3N0MA0GCSqGSIb3DQEB
+CwUAA4IBAQAe5BReiXYEzM8ef7Wcl7DBLSh0Q5tWAl8Z4xCrOlNHjHM6GEZirJmh
+ww6W1wDth/kftZnptjxAP21SbdjzmgDRcRu2wqZSHeWP6lL53BfegE/AFaBwTlOE
+2nESoGIDl1vROMFFOnzR2ZJWmSoUDk/4oVFLZYAabUZKjfUZTjz99O7Pk4GiySrg
+c7/xKnYx8x91+jqFjpIgR/pkvrTPaPkAtgs68a5YxGT8yHH0wA1Ve+3zmqkQbg9g
+fDimZ4fgaorS0JzuqiZbIyzxu7Q6G506Lu34l5NA2qZQzdTm8g98ksli7DMazc8n
+8o68bZD9szMrvGiVCx/ujtiu2GG1y187
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: CN=Test CA (Do Not Trust),OU=nifi
+subject=/OU=nifi/CN=Test CA (Do Not Trust)
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.jks
new file mode 100644
index 00000000..0bc06d7b
Binary files /dev/null and b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.jks differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.p12 b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.p12
new file mode 100644
index 00000000..0f10f89d
Binary files /dev/null and b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/registry-ks.p12 differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-cert.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-cert.pem
new file mode 100644
index 00000000..dfecaec9
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-cert.pem
@@ -0,0 +1,50 @@
+Bag Attributes
+    friendlyName: user1-key
+    localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 38 38 33 36 
+subject=/OU=nifi/CN=user1
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIKAWfClyTXAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyNFoXDTQ2MDUwNDE4MzIyNFowHzENMAsGA1UECwwEbmlmaTEOMAwG
+A1UEAwwFdXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKSsvi
+WSrOIDjF+drgVnrB1QYk1dNeQp64nE7ffzlPoEOWbNQzho+JTp1D9XI9+IBUmSTW
+f4JeYDs0gTpbfwzVmsLI30u/a0wUgERM3+8fl9XwrSJ4blkG4A8az4i3CFjObOYA
+6znDclHLGcmWthwjxQ50n/BjTUGHJFpK/1/uLLgfeJreP73RdTm8fPMRj9H1JhpV
+/UsP4w0EJX3sr2acKW34w+edkQgbGxxg2+dAokb/ODrO6/wntbYaFJguCEe5jQL+
+bfSVMiix99RjTeflFaKU0fQI0GYbcf6wmz9JUEvX9JXiclVyu9daV6jUgKJcg6SJ
+Aqjx5boVrUFH1J4zAgMBAAGjfDB6MB0GA1UdDgQWBBRjObpZQdsXe5pq7k501MOU
+5ChXezAfBgNVHSMEGDAWgBTbpLdIynbiSsoPBfnP949MNgHJxzAOBgNVHQ8BAf8E
+BAMCA/gwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBADPa3w6bgNuY8oTRxzinXRCJKFFiVDM0SI3K0qEo
+4Evg5np1xgIou6p4k9QHAmbb0wnVdOJQ+74PXpm1Z7kSmZAXz/wXFFKQSmVILWTH
+EO23ThBPDOzvks1DXo76KjW1rTMsXHV0rTBzq/OJShfA5zGfXuKuI+60EozsO0Xh
+bSeBUjmW0wU7b/dYw2WrmeBFPvz9VhpQG8ZL3cfMvjqIYtn8qRu+gw5pMdKJOpQV
+4YcyAhusREGMWc4Lmq+kXGk4UlOy9imUNuKkT10e9IS7STZHVqoKXPs5Y2jJODrr
+S8fvbRJUvu/WLRRi0AXsC7MD5U1p+emBeLF3g95MneCbjEg=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: CN=Test CA (Do Not Trust),OU=nifi
+subject=/OU=nifi/CN=Test CA (Do Not Trust)
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-key.pem b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-key.pem
new file mode 100644
index 00000000..f288cda2
--- /dev/null
+++ b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-key.pem
@@ -0,0 +1,84 @@
+Bag Attributes
+    friendlyName: user1-key
+    localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 38 38 33 36 
+Key Attributes: <No Attributes>
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIb383JvWdLvECAggA
+MBQGCCqGSIb3DQMHBAhzr4pzpi7sRASCBMhm5cb7aAuvV28Oaj9pGKPtekdWNEwr
+zKVzoy9xu0QTef/m0JxCuRW0qnfyGKzYHFjjgfxvA3deAnQYpnxDmWPJwHbw/mzx
+RM/YRTiFa45w5HulOc9t+C5N4pess7QVNYgaWp3EcbjtuwrPry0HvJFqM7JyNoK+
+g3pyZ6pZq1CZFSua4oNEu30frbiTYXKeMMa/YTNmN2jLtS3VkY1BSXYm/jtIktFw
+YCAsGz/9u4jIWt2SqWR1ieV4d3PGrvFm6yvBq1dZx/jIpHfZU0ozMEUqwZx4Hevs
+VoPmwHMI/0SDWtXgso6zGgKKkXu0BdUhR+m4C1xg8iBAFWQxrNASQb+q6RcCymFs
+j0nDe9PdS6w764KgkcRPv5xo2kEqULy1D/gXxAbSWq9luvG1ljJ/6gvdg8StFIx0
+ugAgywm9/++TAiM/OU4fxkFF0D0QhHbuwBVynbUHdOFSclrEZ4vzyW+1VUf+Z8KT
+u4YicaSAXY6reEYp2Qcux93OKEqQ62uM7cMI3QItKqbSX+WokPev1iKgjqMaqAUU
+jtypACu+LwANQmTkWUaLGdAHanKhuXiYmt1wMLbQ0U2kOEZ83si8sBerKI1qUOh7
+0ZFqOrIhRxZH0OErPBLyBER41OMHtlTdKEFHDJAZ5emwIFNV23dHM9I401PfFeHb
+F1xLl30GThKC/xyUWmkbTUKQ/4GJZPAhLKvOQCbWiMmTpBeCdyADIQO4V4RrGuzT
+UwAdhfMkMPbyi25iLtVxhm7PUN9ywhbj/KzPMkc/1/M8yUw3gzo7GGBPEiOxNdc/
+sqeG69tn/P2qocvuH646zSO7IgcOcadrGpzZhana0nt1SEOqAFg379NXNXZPmhzW
+BOFj5W2PlWe9cfBrQxbFkF0F+RIrTnwYUyJCpqTgJkIPtvmwDPODFAwvPvMPal1a
+AjsqucMEvDY5lHMYyPA3/heneO9oCavrJEt1wKS0MCdNVN4a8hEQsmCz71MaYEiI
+G1/t1jVIFc7N8zGApfuzPHnaquRnkdlMaEArJDkXLi0m4OC2rVXoJrlqtJAzkT/8
+qzG030F21G/STOpjYjKjqU+woEmT+ZmLGNCme5oBAo3OQbIe2Jf5uU5jdlh+3PnO
+QBES7sMPH9TlMauGKd6s6+MHB43YOQj4PpkLYWdnK8GTiPqSrx4/gZipyL8ZvY7V
+2wPJqE3nxQleWoy8Y6NVuph0LM8dhcmdGPo8sw0wm0Q2f+fG/L7j5BVuhYB66YNR
+pxNrNKu4KWfmye5XuZLK6DJvPZUu5C8zNQedt8853zacsjypzfJzQRmEav3p1oL8
+2zReH8MyXK6VSBEPS+3u/K/I6oqUXyhzIsf/K4uXkIj4WcQeionPtk7ibcA5nAo0
+aEQFNze889Ns8wOPicswnTk4SffS6adM+1eJ+BmMVWAAs+LfW84hJkvlP5ik4UWZ
+Fr0YLDkXLB71NmzhA7jVP+wnZtRjurcyLabT3p4u4t+eBnwLUCU9Mk5M1Y1hnR2K
+viioDqvla2W1WfC9uPsdq5+5ufUYRa79fZjne+YY8Yyh/Vyf7cXKiNo//1t3U++x
+TE1xsQvr4y40MZowemEZav215/R1m7ZbPWYOn2dz6Qv6qAWyiAcCuo9hqwpSsVwg
+4TM=
+-----END ENCRYPTED PRIVATE KEY-----
+Bag Attributes
+    friendlyName: user1-key
+    localKeyID: 54 69 6D 65 20 31 35 34 35 31 35 37 39 34 38 38 33 36 
+subject=/OU=nifi/CN=user1
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIKAWfClyTXAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyNFoXDTQ2MDUwNDE4MzIyNFowHzENMAsGA1UECwwEbmlmaTEOMAwG
+A1UEAwwFdXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKSsvi
+WSrOIDjF+drgVnrB1QYk1dNeQp64nE7ffzlPoEOWbNQzho+JTp1D9XI9+IBUmSTW
+f4JeYDs0gTpbfwzVmsLI30u/a0wUgERM3+8fl9XwrSJ4blkG4A8az4i3CFjObOYA
+6znDclHLGcmWthwjxQ50n/BjTUGHJFpK/1/uLLgfeJreP73RdTm8fPMRj9H1JhpV
+/UsP4w0EJX3sr2acKW34w+edkQgbGxxg2+dAokb/ODrO6/wntbYaFJguCEe5jQL+
+bfSVMiix99RjTeflFaKU0fQI0GYbcf6wmz9JUEvX9JXiclVyu9daV6jUgKJcg6SJ
+Aqjx5boVrUFH1J4zAgMBAAGjfDB6MB0GA1UdDgQWBBRjObpZQdsXe5pq7k501MOU
+5ChXezAfBgNVHSMEGDAWgBTbpLdIynbiSsoPBfnP949MNgHJxzAOBgNVHQ8BAf8E
+BAMCA/gwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBADPa3w6bgNuY8oTRxzinXRCJKFFiVDM0SI3K0qEo
+4Evg5np1xgIou6p4k9QHAmbb0wnVdOJQ+74PXpm1Z7kSmZAXz/wXFFKQSmVILWTH
+EO23ThBPDOzvks1DXo76KjW1rTMsXHV0rTBzq/OJShfA5zGfXuKuI+60EozsO0Xh
+bSeBUjmW0wU7b/dYw2WrmeBFPvz9VhpQG8ZL3cfMvjqIYtn8qRu+gw5pMdKJOpQV
+4YcyAhusREGMWc4Lmq+kXGk4UlOy9imUNuKkT10e9IS7STZHVqoKXPs5Y2jJODrr
+S8fvbRJUvu/WLRRi0AXsC7MD5U1p+emBeLF3g95MneCbjEg=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: CN=Test CA (Do Not Trust),OU=nifi
+subject=/OU=nifi/CN=Test CA (Do Not Trust)
+issuer=/OU=nifi/CN=Test CA (Do Not Trust)
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIKAWfClyDGAAAAADANBgkqhkiG9w0BAQsFADAwMQ0wCwYD
+VQQLDARuaWZpMR8wHQYDVQQDDBZUZXN0IENBIChEbyBOb3QgVHJ1c3QpMB4XDTE4
+MTIxODE4MzIyM1oXDTQ2MDUwNDE4MzIyM1owMDENMAsGA1UECwwEbmlmaTEfMB0G
+A1UEAwwWVGVzdCBDQSAoRG8gTm90IFRydXN0KTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAIv7lVgGRHGaYmKkeTJpFzAp6QA7Anik/u1a+1ngGFWf9e6l
+RkSX6US+nPbDRLJpSkO0c+/v8BwAKBiHUFaGF9XV7YvX92x/Gb3/FidSu+HAW/w/
+keIZ8PHvXbMtTvEur+nY1hSDvssdw1nAYAB9DG26HdRSg5c1DYgHLk9WCDWuIspU
+n31YCb0lStWWbHM53i8xLfeV3IdOw9P3+d8bopzUUjk2quSxxekvzLCC1e14csJG
+GIKLplRUq+zWRgkGYF8Fkx+kYGL62sehAdVcblxjwnXnmlPHvlxeaclsAVn4LCQj
+gQzstzAv+s7sNSCxHba4vAusszWxOFiM1Vk8VvcCAwEAAaN/MH0wDgYDVR0PAQH/
+BAQDAgH+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNukt0jKduJKyg8F+c/3j0w2
+AcnHMB8GA1UdIwQYMBaAFNukt0jKduJKyg8F+c/3j0w2AcnHMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAMvNsYLooq3zh
+ts0fPU8dNcfe/NXFK6Uwg0RQPtq/l1ChGnZgXicx+RHMR5Q08pR62e+3gztk+LRE
+iR9PpXqKFLM8slhR1z4sZ+Ja38ZHcOjsDPJeMKjUTrK8MNQN3YPKzoPE0AnLmsZI
+Kf1eUIXXA3uXiXkIIVuxPPK96Q5Rla0xnbOpgejzGJ0BIMFP3odLlSahtT2Gl6wC
+bdyImBkFntRJMoUx1fwUSKvIN5GUpaG6+E3mwgjckTUGZ15WrAllWqzhI06T73Yv
+qR4FsQizqrqLimrIgvCBH6SWbOcsjCH/I58KqMRtG+kmfa/iwMfy0MMzuzx1Kwbr
+qOi08D8F0w==
+-----END CERTIFICATE-----
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.jks b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.jks
new file mode 100644
index 00000000..94ddf059
Binary files /dev/null and b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.jks differ
diff --git a/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.p12 b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.p12
new file mode 100644
index 00000000..47e27731
Binary files /dev/null and b/nifi-registry-core/nifi-registry-web-api/src/test/resources/keys/user1-ks.p12 differ


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services