Mutual TLS Setup for NiFi Registry and Client

This guide describes the steps to create a self-signed TLS setup for NiFi Registry with client certificate authentication.

1. Generate Self-Signed Certificate for NiFi Registry

openssl req -x509 -newkey rsa:4096 -keyout nifi.key -out nifi.crt -days 3650 -nodes -subj "/CN=nifi-registry.local"

2. Create a PKCS12 Keystore

openssl pkcs12 -export \
  -in nifi.crt \
  -inkey nifi.key \
  -out keystore.p12 \
  -name nifi-registry \
  -password pass:changeit

3. Create a Truststore with the Same Certificate

keytool -importcert \
  -file nifi.crt \
  -alias nifi-registry \
  -keystore truststore.jks \
  -storepass changeit \
  -noprompt

4. Store Keystore and Truststore as Kubernetes Secret

kubectl create secret generic nifi-registry-tls \
  --from-file=keystore.p12=./keystore.p12 \
  --from-file=truststore.jks=./truststore.jks \
  --from-literal=keystorePassword='changeit' \
  --from-literal=truststorePassword='changeit' \
  -n default

5. Prepare Files for Client Certificate Signing

cp nifi.crt ca.crt
cp nifi.key ca.key

6. Sign Client Certificate Request

openssl x509 -req \
  -in client.csr \
  -CA ca.crt \
  -CAkey ca.key \
  -CAcreateserial \
  -out client.crt \
  -days 365 \
  -sha256

7. Convert Client Certificate into PKCS12 Format

openssl pkcs12 -export \
  -inkey client.key \
  -in client.crt \
  -certfile ca.crt \
  -out client.p12 \
  -name "Zapata NiFi Client Cert" \
  -passout pass:changeit