Steps and output for generating a public/private keypair, a CSR to get it signed by an external CA, and then importing the signed certificate and certificate chain into a JKS keystore for use in Apache NiFi.
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
3s @ 16:33:45 $ keytool -genkey -alias nifi -keyalg RSA -keysize 2048 -keystore keystore.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: nifi.apache.org
What is the name of your organizational unit?
[Unknown]: NiFi
What is the name of your organization?
[Unknown]: Apache
What is the name of your City or Locality?
[Unknown]: Santa Monica
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=nifi.apache.org, OU=NiFi, O=Apache, L=Santa Monica, ST=CA, C=US correct?
[no]: y
Enter key password for <nifi>
(RETURN if same as keystore password):
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
1708s @ 17:02:15 $ keytool -certreq -alias nifi -keyalg RSA -file nifi.csr -keystore keystore.jks
Enter keystore password:
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
51s @ 17:03:07 $ ll
total 16
drwxr-xr-x 4 alopresto staff 136B Oct 26 17:03 ./
drwxr-xr-x 58 alopresto staff 1.9K Oct 26 16:33 ../
-rw-r--r-- 1 alopresto staff 2.2K Oct 26 17:02 keystore.jks
-rw-r--r-- 1 alopresto staff 1.1K Oct 26 17:03 nifi.csr
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
2s @ 17:03:10 $ more nifi.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4DCCAcgCAQAwazELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQH
EwxTYW50YSBNb25pY2ExDzANBgNVBAoTBkFwYWNoZTENMAsGA1UECxMETmlGaTEY
MBYGA1UEAxMPbmlmaS5hcGFjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAmYDueTT3NINXSHTymgnAL2ilsbzZ2nUof3DQ7TofZX9Zn5r1cEcy
Jc0U9bwJDkPEXXwvN574WiL5txVKV+LZL+nqJSWlNStvBiMbZ4eM7UuwH9IPm/36
yofhkeqCoFBOR4E4OyJtAsTRs7yjp72Yw44EHpV1xjVxXBnAcCuckKwUk1+9Q/gj
/pVmsMfor9bytoqp7fiiYlqQ2qpRVx16++pg2JTIMClM8++EI68yKwofMDLeJG0P
cxxN0lvF+c86UoAzXCKHD7cJyTzTR6PpdBYuOXZrEBOj9oQvCCaN9nkQ+7ZwTN2+
78UKxPfL2BtYsBz/bhjClVmOVzASncKTSwIDAQABoDAwLgYJKoZIhvcNAQkOMSEw
HzAdBgNVHQ4EFgQUlgL5Hb5T8NkQybhTQUaSbn3kY7MwDQYJKoZIhvcNAQELBQAD
ggEBAG8rOsz8WbDv/xWhhMZmj66kRJoZIfvx5g8ZlYduUhZwBAs9Bc97+awrKuVt
2hzSTO5WiONmkpYvjz//8yyjB4BiFh6p8EyML109aHHMerm5V4elVZ9uQ0MKnGI+
auvOwNCWPUSNuT1NJ+0SS38cvuECGYhipWnykgYsvJv0xEX7pCPmxpS7A5M2IKmK
fKN9xqRxf+pgxaMl9WAxl22Yi9sv9/nOEUNxBG61gin0YVF7eNAlB12fLdFbCo3M
emmRx6FXbdHgOXjY29Mw9A+cmrM38JENFiXP7Qoo0aCpDPDEH2ORqNQUupUsy/Bh
66po3/eT9YpOt7+5w2Qi6Zl3A34=
-----END NEW CERTIFICATE REQUEST-----
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
17s @ 17:03:28 $ # send CSR to CA and get it signed
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
10s @ 17:03:39 $ # the file is now available as nifi_from_ca.pem
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
488s @ 17:11:48 $ ll
total 32
drwxr-xr-x 5 alopresto staff 170B Oct 26 17:10 ./
drwxr-xr-x 59 alopresto staff 2.0K Oct 26 17:04 ../
-rw-r--r-- 1 alopresto staff 2.2K Oct 26 17:02 keystore.jks
-rw-r--r-- 1 alopresto staff 1.1K Oct 26 17:03 nifi.csr
-rw-r--r-- 1 alopresto staff 5.7K Oct 26 17:10 nifi_from_ca.pem
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
33s @ 17:13:29 $ openssl x509 -in nifi_from_ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Santa Monica, O=Apache, OU=NiFi, CN=Example NiFi CA/emailAddress=example@nifi.apache.org
Validity
Not Before: Oct 27 00:10:07 2016 GMT
Not After : Jul 24 00:10:07 2019 GMT
Subject: C=US, ST=CA, L=Santa Monica, O=Apache, OU=NiFi, CN=nifi.apache.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:99:80:ee:79:34:f7:34:83:57:48:74:f2:9a:09:
c0:2f:68:a5:b1:bc:d9:da:75:28:7f:70:d0:ed:3a:
1f:65:7f:59:9f:9a:f5:70:47:32:25:cd:14:f5:bc:
09:0e:43:c4:5d:7c:2f:37:9e:f8:5a:22:f9:b7:15:
4a:57:e2:d9:2f:e9:ea:25:25:a5:35:2b:6f:06:23:
1b:67:87:8c:ed:4b:b0:1f:d2:0f:9b:fd:fa:ca:87:
e1:91:ea:82:a0:50:4e:47:81:38:3b:22:6d:02:c4:
d1:b3:bc:a3:a7:bd:98:c3:8e:04:1e:95:75:c6:35:
71:5c:19:c0:70:2b:9c:90:ac:14:93:5f:bd:43:f8:
23:fe:95:66:b0:c7:e8:af:d6:f2:b6:8a:a9:ed:f8:
a2:62:5a:90:da:aa:51:57:1d:7a:fb:ea:60:d8:94:
c8:30:29:4c:f3:ef:84:23:af:32:2b:0a:1f:30:32:
de:24:6d:0f:73:1c:4d:d2:5b:c5:f9:cf:3a:52:80:
33:5c:22:87:0f:b7:09:c9:3c:d3:47:a3:e9:74:16:
2e:39:76:6b:10:13:a3:f6:84:2f:08:26:8d:f6:79:
10:fb:b6:70:4c:dd:be:ef:c5:0a:c4:f7:cb:d8:1b:
58:b0:1c:ff:6e:18:c2:95:59:8e:57:30:12:9d:c2:
93:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:02:F9:1D:BE:53:F0:D9:10:C9:B8:53:41:46:92:6E:7D:E4:63:B3
X509v3 Authority Key Identifier:
keyid:44:D8:A0:AA:3F:8D:24:1D:66:A0:EE:A0:2E:04:9F:DB:C5:EB:43:CA
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
85:90:6f:02:a3:48:1a:6c:89:d2:35:ff:85:e6:6d:8e:ec:5f:
d8:6a:95:21:b6:63:fa:59:41:37:22:f5:b5:a2:64:d7:6e:9a:
bc:e2:12:cb:d6:9b:0f:64:aa:7d:64:2c:d2:79:52:cb:bc:39:
dc:29:08:9e:85:42:0b:7b:73:77:13:e3:02:a1:25:12:ed:37:
79:88:ec:13:62:2e:dd:dd:55:d3:42:98:55:c4:c3:a4:e3:6f:
68:83:66:24:cd:70:31:e3:2a:df:4d:ed:f5:38:54:78:f9:ea:
f4:96:50:11:c0:02:52:7f:17:30:6d:88:87:f6:0f:3b:ef:cb:
de:05:d1:ed:ee:52:51:16:cd:6d:2a:e6:0f:d1:0a:d2:48:45:
d4:30:91:d5:f1:2c:0f:20:dc:95:1d:0c:e5:06:a6:a6:65:d9:
90:5a:9e:ee:77:29:88:f6:ef:7d:77:59:2c:78:35:52:3b:e0:
52:8c:53:71:3f:83:d6:e6:41:c0:1d:fd:a7:8f:b2:7d:aa:3f:
b6:67:34:c2:9a:74:24:54:3a:5a:30:2c:cc:9f:b3:1c:55:e1:
13:69:43:d9:87:4c:ad:51:2c:0d:46:a2:d1:e8:55:25:c5:78:
83:9e:4a:8d:64:9f:0f:4f:0b:5d:1d:70:db:99:62:b9:18:d5:
a3:a1:c6:38:bf:3d:8c:45:5e:fd:1e:29:e3:ba:ed:94:6c:1e:
01:ef:05:70:49:d7:56:cf:89:45:0a:69:32:d5:5e:9f:55:7f:
ae:e2:7a:32:44:5d:52:53:68:85:07:e9:f1:8a:f5:85:8d:a8:
17:ec:dd:d1:1b:17:c4:15:51:08:01:9e:c4:95:32:d1:53:75:
e0:98:af:66:d1:f6:9d:c5:01:eb:43:a4:c3:b6:b7:cf:3d:08:
a4:ab:eb:69:86:f6:d7:c5:b9:4e:a7:85:e6:5d:31:e7:c8:1a:
82:be:4f:72:ea:98:3e:77:b1:b6:f1:6b:8a:79:ff:e3:7a:af:
a1:ae:1a:67:0b:19:9e:59:a9:88:3e:c8:1c:cf:d3:c3:bf:e5:
1c:ad:7a:21:fa:86:fb:ec:85:9d:66:17:63:3a:c5:2f:3f:7c:
45:5a:0e:64:8f:89:80:78:36:77:1b:82:ce:68:dd:cf:f3:96:
0e:b3:3d:91:9e:69:61:eb:ee:f5:57:22:6d:ca:19:cd:3e:d8:
d6:20:4f:c0:c7:1d:0f:ba:23:90:8c:51:11:c3:4c:2f:96:11:
d5:fd:54:45:24:b7:af:08:a1:4b:39:f2:2d:f6:c7:3a:8f:62:
42:04:d5:66:89:89:74:c9:72:e3:56:58:03:7c:95:32:f4:cb:
8b:b5:24:e1:94:1c:3a:53
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
55s @ 17:15:12 $ keytool -import -trustcacerts -alias nifi -file nifi_from_ca.pem -keystore keystore.jks
Enter keystore password:
Top-level certificate in reply:
Owner: EMAILADDRESS=example@nifi.apache.org, CN=Example NiFi CA, OU=NiFi, O=Apache, L=Santa Monica, ST=California, C=US
Issuer: EMAILADDRESS=example@nifi.apache.org, CN=Example NiFi CA, OU=NiFi, O=Apache, L=Santa Monica, ST=California, C=US
Serial number: febe1f6a9724c4a5
Valid from: Wed Oct 26 17:08:01 PDT 2016 until: Fri Nov 25 16:08:01 PST 2016
Certificate fingerprints:
MD5: 17:7F:03:97:E6:EE:AE:29:87:60:07:D9:D0:9F:E7:E5
SHA1: 1E:76:3F:1F:C6:0A:08:CF:D0:00:C5:4F:80:99:54:7B:F6:62:A6:16
SHA256: 5A:26:B5:0D:9D:75:A0:51:C6:0A:C5:95:CD:AB:D9:03:05:83:DF:45:AA:43:94:B2:5C:0C:BA:11:2B:28:36:A7
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 44 D8 A0 AA 3F 8D 24 1D 66 A0 EE A0 2E 04 9F DB D...?.$.f.......
0010: C5 EB 43 CA ..C.
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 44 D8 A0 AA 3F 8D 24 1D 66 A0 EE A0 2E 04 9F DB D...?.$.f.......
0010: C5 EB 43 CA ..C.
]
]
... is not trusted. Install reply anyway? [no]: y
Certificate reply was installed in keystore
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
155s @ 17:17:48 $ keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi
Creation date: Oct 26, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nifi.apache.org, OU=NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
Issuer: EMAILADDRESS=example@nifi.apache.org, CN=Example NiFi CA, OU=NiFi, O=Apache, L=Santa Monica, ST=California, C=US
Serial number: 1
Valid from: Wed Oct 26 17:10:07 PDT 2016 until: Tue Jul 23 17:10:07 PDT 2019
Certificate fingerprints:
MD5: 31:74:68:A5:FD:85:18:3B:6B:62:D1:60:E0:C8:BF:04
SHA1: C7:27:8F:6B:4A:D3:8F:1E:A2:D8:26:B3:91:F7:46:68:66:B1:9F:12
SHA256: 12:DB:22:6E:B5:AF:5B:AC:E2:CB:D9:79:38:2B:F0:7B:C3:78:D9:F9:58:CA:5F:F1:82:F5:EC:26:BB:0B:27:29
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 44 D8 A0 AA 3F 8D 24 1D 66 A0 EE A0 2E 04 9F DB D...?.$.f.......
0010: C5 EB 43 CA ..C.
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 96 02 F9 1D BE 53 F0 D9 10 C9 B8 53 41 46 92 6E .....S.....SAF.n
0010: 7D E4 63 B3 ..c.
]
]
Certificate[2]:
Owner: EMAILADDRESS=example@nifi.apache.org, CN=Example NiFi CA, OU=NiFi, O=Apache, L=Santa Monica, ST=California, C=US
Issuer: EMAILADDRESS=example@nifi.apache.org, CN=Example NiFi CA, OU=NiFi, O=Apache, L=Santa Monica, ST=California, C=US
Serial number: febe1f6a9724c4a5
Valid from: Wed Oct 26 17:08:01 PDT 2016 until: Fri Nov 25 16:08:01 PST 2016
Certificate fingerprints:
MD5: 17:7F:03:97:E6:EE:AE:29:87:60:07:D9:D0:9F:E7:E5
SHA1: 1E:76:3F:1F:C6:0A:08:CF:D0:00:C5:4F:80:99:54:7B:F6:62:A6:16
SHA256: 5A:26:B5:0D:9D:75:A0:51:C6:0A:C5:95:CD:AB:D9:03:05:83:DF:45:AA:43:94:B2:5C:0C:BA:11:2B:28:36:A7
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 44 D8 A0 AA 3F 8D 24 1D 66 A0 EE A0 2E 04 9F DB D...?.$.f.......
0010: C5 EB 43 CA ..C.
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 44 D8 A0 AA 3F 8D 24 1D 66 A0 EE A0 2E 04 9F DB D...?.$.f.......
0010: C5 EB 43 CA ..C.
]
]
*******************************************
*******************************************
hw12203:/Users/alopresto/Workspace/scratch/csr-demo (master) alopresto
12s @ 17:18:01 $