You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Ferenc Gerlits (Jira)" <ji...@apache.org> on 2020/12/08 15:17:00 UTC
[jira] [Created] (MINIFICPP-1422) MiNiFi should be able to get
certs from the Openssl truststore on Linux
Ferenc Gerlits created MINIFICPP-1422:
-----------------------------------------
Summary: MiNiFi should be able to get certs from the Openssl truststore on Linux
Key: MINIFICPP-1422
URL: https://issues.apache.org/jira/browse/MINIFICPP-1422
Project: Apache NiFi MiNiFi C++
Issue Type: New Feature
Reporter: Ferenc Gerlits
Minifi is able to read the server and client certificates necessary to connect to the C2 server from the Windows truststore (MINIFICPP-1401), but this does not work on Linux.
On Linux, the natural way would be to use Openssl's own truststore.
The server certificate works, to some degree: if {{server-cert.pem}} is the server certificate, then you can install it like this:
{noformat}
$ cd ${OPENSSL_CACERT_DIR}
$ cp /path/to/server-cert.pem ./
$ CERTIFICATE_HASH=`openssl x509 -noout -hash -in server-cert.pem`
$ ln -s server-cert.pem ${CERTIFICATE_HASH}.0
$ chmod 755 ${OPENSSL_CACERT_DIR}
$ chmod 600 ${OPENSSL_CACERT_DIR}/server-cert.pem{noformat}
After this, if you unset {{nifi.security.client.ca.certificate}} and set {{nifi.security.use.system.cert.store=true}}, then Minifi will read the server certificate from {{OPENSSL_CACERT_DIR}}.
But the default {{OPENSSL_CACERT_DIR}} depends on where Minifi was compiled, eg. it could be {{/home/myuser/src/minifi/build/thirdparty/libressl-install/etc/ssl/certs}}, which is not nice. The default location should be changed to something more sensible, and there needs to be a way to override it.
I don't know how to add the client certificate + key to the Openssl truststore, so that will need to be investigated.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)