The Java Trust Store

Paul Grey
Russell Bateman
August 2022

Quick command summary

# Using an on-the-fly, generic TLS client connecting to Tomcat, show its certificate...
$ openssl s_client -connect localhost:8443 -showcerts

# Excerpt everything between the begin header and end footer into a new certificate...
$ gvim trust.crt
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgIEHc35dTANBgkqhkiG9w0BDEFDEa
.
.
.
7jLkPm7Cm1IpviKkEsKhLnlj+RTZGmK4ZoV1Uixt45ozFt7lYKciy0IxD3U3RHQ=
-----END CERTIFICATE-----

# Display the text of this new certificate if it validates...
$ openssl x509 -in trust.crt -text

# Import Tomcat's certificate to a Java keystore...
$ keytool -importcert -keystore trust.jks -file trust.crt -alias tomcat

In the end, this creates an artifact, trust.jks, that will pass muster with Apache NiFi SSLContextService and processor InvokeHTTP, but Tomcat must already be working over port 8443 (TLS).

Steps illustrated

1. Use openssl s_client to dump a certificate to stdout, grab that and save it into trust.crt:

   $ openssl s_client -connect localhost:8443 -showcerts
   

   Here's what comes out of openssl s_client. Grab the highlighted text shown below and save it to a file with a name like trust.crt.

   CONNECTED(00000003)
   Can't use SSL_get_servername
   depth=0 C = US, ST = UT, L = Provo, O = Wind of Keltia, CN = windofkeltia.com
   verify error:num=18:self signed certificate
   verify return:1
   depth=0 C = US, ST = UT, L = Provo, O = Wind of Keltia, CN = windofkeltia.com
   verify return:1
   ---
   Certificate chain
    0 s:C = US, ST = UT, L = Provo, O = Wind of Keltia, CN = windofkeltia.com
      i:C = US, ST = UT, L = Provo, O = Wind of Keltia, CN = windofkeltia.com
   -----BEGIN CERTIFICATE-----
   MIIDWzCCAkOgAwIBAgIEHc35dTANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQGEwJV
   UzELMAkGA1UECBMCVVQxDjAMBgNVBAcTBVByb3ZvMRcwFQYDVQQKEw5XaW5kIG9m
   IEtlbHRpYTEZMBcGA1UEAxMQd2luZG9ma2VsdGlhLmNvbTAeFw0yMjA3MjgxNzMx
   MTFaFw0yMzA3MjgxNzMxMTFaMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEO
   MAwGA1UEBxMFUHJvdm8xFzAVBgNVBAoTDldpbmQgb2YgS2VsdGlhMRkwFwYDVQQD
   ExB3aW5kb2ZrZWx0aWEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
   AQEAsvV25AHA92oMNDXrxoECEsA3/c14qTltpu0nd5B6tVdu+MPzifCfob0EdjDr
   /O3BzZl2TGxRuWK5m/ZSjgpNr7YjFvgb8Vn03utZ9rOjnROwoanOFLd4amoNF0sH
   yyLkD+Glau1GxMmstgagFfN53gkECJaely7cF/PlhLyaj9HjfD3dJ6nl/1d0+W+Y
   OsvRQAz4OXm1iFDP4b39vbEa0BPLA0IB74gZKgL8ZWlIwBaLimd3j3d5wiVzNI34
   4revXxmQNYzywdiWyGM2EgP6YA0/gR/E2EzGpz9nEKpfKrqb6xOodazzkHui1WoN
   VWZWImWDdx99F4bsx0XILZFCHwIDAQABoyEwHzAdBgNVHQ4EFgQU2jerxaTloIzl
   9+famp4aABJTbbcwDQYJKoZIhvcNAQELBQADggEBAEL7+gsANUO2ivpvf/SKgPLF
   w05BYpmYEGcjaXHaDmlyqW+tSwdgIO192RKrYpfXHLmMZv69LfzeOnhcdXDX+ufF
   HoZTTyfzQ2e0YYUfz6q1EpoRxLR+sMQr1Y87GDui4AyB/+BGQvDi6zk+ThNZBWXd
   y/da7FdT1Z1NDWuIJB+BjcEY/GxZOZm00wAryFCV6p1HVsfEhgCmGLzvCrMm9NIo
   2jC4860p926YIsPlURIzTGLjOCOpECGqrxz8m6ojed+k3sAgHMMHCt3mE+81yK6L
   7jLkPm7Cm1IpviKkEsKhLnlj+RTZGmK4ZoV1Uixt45ozFt7lYKciy0IxD3U3RHQ=
   -----END CERTIFICATE-----
   ---
   Server certificate
   subject=C = US, ST = UT, L = Provo, O = Wind of Keltia, CN = windofkeltia.com
   
   issuer=C = US, ST = UT, L = Provo, O = Wind of Keltia, CN = windofkeltia.com
   
   ---
   No client certificate CA names sent
   Peer signing digest: SHA256
   Peer signature type: RSA-PSS
   Server Temp Key: X25519, 253 bits
   ---
   SSL handshake has read 1395 bytes and written 363 bytes
   Verification error: self signed certificate
   ---
   New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
   Server public key is 2048 bit
   Secure Renegotiation IS NOT supported
   Compression: NONE
   Expansion: NONE
   No ALPN negotiated
   Early data was not sent
   Verify return code: 18 (self signed certificate)
   ---
   ---
   Post-Handshake New Session Ticket arrived:
   SSL-Session:
       Protocol  : TLSv1.3
       Cipher    : TLS_AES_256_GCM_SHA384
       Session-ID: 6FDFA455BD608D03B85B0B8E47D2A967BDD8E4B9FF656795E4A092B387CE84FF
       Session-ID-ctx:
       Resumption PSK: 7671F41E7E4E639278D007778211C80A2159CF035081B0A3A2AD7B799FE76BE5B5AA24014730955151250C0B420D9DD4
       PSK identity: None
       PSK identity hint: None
       SRP username: None
       TLS session ticket lifetime hint: 86400 (seconds)
       TLS session ticket:
       0000 - b0 85 5e 0c f7 82 b6 39-f3 bb f9 b6 01 12 ff b1   ..^....9........
       0010 - e1 6c 2a 79 7f d6 96 8a-ff 4f 55 8f 94 29 0b eb   .l*y.....OU..)..
   
       Start Time: 1659476764
       Timeout   : 7200 (sec)
       Verify return code: 18 (self signed certificate)
       Extended master secret: no
       Max Early Data: 0
   ---
   read R BLOCK
   closed
   

2. Pass the new file to and compare the output of this command to ensure it's the same certificate:

   $ openssl x509 -in trust.crt -text
   

3. Using the new certificate with Java keytool, create a JKS keystore containing it.

   $ keytool -importcert -file trust.crt -alias tomcat -keystore trust.jks -keypass changeit -storepass changeit
   

4. Find a place accessible to Apache NiFi, such as ${NIFI_ROOT}/certificates, to drop this new certificate.
5. Finally, enter the following into your StandardSSLContextService configuration to tell NiFi this is a trust store:
   • Truststore Filename → full path to trust.jks
   • Truststore Password → (from step #3)
   •          Truststore Type → JKS

Don't want to lose this link: https://community.cloudera.com/t5/Support-Questions/Is-it-possible-to-provide-options-to-InvokeHTTP-nifi/td-p/236239