You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/04/09 17:13:14 UTC

[GitHub] [nifi] alopresto commented on a change in pull request #4196: NIFI-7341 Updated certificate commands and source code formatting in …

alopresto commented on a change in pull request #4196: NIFI-7341 Updated certificate commands and source code formatting in …
URL: https://github.com/apache/nifi/pull/4196#discussion_r406353162
 
 

 ##########
 File path: nifi-docs/src/main/asciidoc/toolkit-guide.adoc
 ##########
 @@ -1175,9 +1188,8 @@ $ ./bin/tls-toolkit.sh standalone -n 'node1.nifi.apache.org' \
   * If the DER file only contains the public certificate, use this command:
   ** `openssl x509 -inform der -in cert.der -out cert.pem`
 . To convert from a PKCS12 keystore (`keystore.p12`) containing both the public certificate and private key into PEM encoded files (`$PASSWORD` is the keystore password):
-  * `openssl pkcs12 -in keystore.p12 -out cert.der -nodes -password "pass:$PASSWORD"`
+  * `openssl pkcs12 -in keystore.p12 -nodes -clcerts -nokeys -out cert.pem  -password "pass:$PASSWORD"`
   * `openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.key -password "pass:$PASSWORD"`
-  * Follow the steps above to convert `cert.der` to `cert.pem`
 . To convert from a Java Keystore (`keystore.jks`) containing private key into PEM encoded files (`$P12_PASSWORD` is the PKCS12 keystore password, `$JKS_PASSWORD` is the Java keystore password you want to set, and `$ALIAS` can be any value -- the NiFi default is `nifi-key`):
   * `keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -destkeypass "$P12_PASSWORD" -deststorepass "$P12_PASSWORD" -srcstorepass "$JKS_PASSWORD" -srcalias "$ALIAS" -destalias "$ALIAS"`
   * Follow the steps above to convert from `keystore.p12` to `cert.pem` and `key.key`
 
 Review comment:
   No, the command I updated above removes the need for the follow-on conversion, but this command still results in a PKCS12 keystore, which would need to be converted to the component PEM files using those steps. Thanks. 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services