Failed attempt to use PKCS12

How credentials were created—summary 

$ keytool -genkeypair -keyalg RSA -alias mdmi -storetype PKCS12 -keystore mdmi-keystore.pkcs12 -validity 365 -keysize 2048
$ keytool -export -alias mdmi -file mdmi-keystore.crt -storetype PKCS12 -keystore mdmi-keystore.pkcs12 -storepass changeit
$ keytool -import -noprompt -trustcacerts -alias mdmi -file mdmi-keystore.crt -storetype PKCS12 -keystore mdmi-truststore.pkcs12 -storepass changeit

Credential inspection 

~/dev/nifi/nifi-1.15.0/conf $ keytool -list -v -keystore mdmi-keystore.pkcs12
Enter keystore password: changeit
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mdmi
Creation date: Jul 21, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT, C=US
Issuer: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT, C=US
Serial number: 3991a09e
Valid from: Thu Jul 21 13:17:06 MDT 2022 until: Fri Jul 21 13:17:06 MDT 2023
Certificate fingerprints:
	 SHA1: 28:1A:C0:9D:CE:E7:B3:51:EA:62:0F:75:2D:69:54:DC:41:B8:B2:DF
	 SHA256: 0C:B8:90:24:E0:22:AF:64:AB:9F:FB:CF:4F:9E:45:B9:07:2D:FA:19:91:D3:46:18:53:25:00:96:CD:F6:97:B6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 14 7C B7 AE 6D AB 8D DE   19 9C 05 A8 1A 37 6B 66  ....m........7kf
0010: E8 49 41 A1                                        .IA.
]
]

*******************************************
*******************************************
~/dev/nifi/nifi-1.15.0/conf $ keytool -list -v -keystore mdmi-truststore.pkcs12
Enter keystore password: changeit
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mdmi
Creation date: Jul 21, 2022
Entry type: trustedCertEntry

Owner: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT, C=US
Issuer: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT, C=US
Serial number: 3991a09e
Valid from: Thu Jul 21 13:17:06 MDT 2022 until: Fri Jul 21 13:17:06 MDT 2023
Certificate fingerprints:
	 SHA1: 28:1A:C0:9D:CE:E7:B3:51:EA:62:0F:75:2D:69:54:DC:41:B8:B2:DF
	 SHA256: 0C:B8:90:24:E0:22:AF:64:AB:9F:FB:CF:4F:9E:45:B9:07:2D:FA:19:91:D3:46:18:53:25:00:96:CD:F6:97:B6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 14 7C B7 AE 6D AB 8D DE   19 9C 05 A8 1A 37 6B 66  ....m........7kf
0010: E8 49 41 A1                                        .IA.
]
]

*******************************************
*******************************************

StandardRestrictedSSLContextService configuration

First, I used conf/mdmi-keystore.pkcs12, etc., but in Configure Apache NiFi StandardRestrictedSSLContextService Controller Service,
I saw someone assert that full paths are needed, so I began doing that. 

  Keystore Filename: /home/russ/dev/nifi/nifi-1.15.0/conf/mdmi-keystore.pkcs12
  Keystore Password: changeit
       Key Password: changeit
      Keystore Type: PKCS12
Truststore Filename: /home/russ/dev/nifi/nifi-1.15.0/conf/mdmi-truststore.pkcs12
Truststore Password: changeit
    Truststore Type: PKCS12
       TLS Protocol: TLS

Errors in StandardRestrictedSSLContextService 

Keystore Properties is invalid because invalid keystore password or type specified for file conf/mdmi-keystore.pkcs12
Truststore Properties is invalid because invalid truststore password or type specified for file conf/mdmi-truststore.pkcs12

Other things tried...

I tried StandardSSLContextService in lieu of StandardRestrictedSSLContextService. Validation still failed.
I show JKS here as store type, but that was the first time around. Later I standardized on using PKCS12.
You see that just above here in oppostion to the older illustration posted below.

Some very useful links and notes in response to my question...

First, my question as I posed it in the Apache NiFi User's forum...

I have hesitated between providing some huge tl;dr exposé and something shorter. I'll do shorter here.

  1. For now, I'm using "changeit" below as password rolling a self-signed certificate for key, key store and trust store.
  2. I have a service running in Tomcat that I hit via HTTPs because the content always involves personal health information.
  3. I use a key store containing my certificate. No trust store is needed or involved in Tomcat.
  4. I need to hit my Tomcat service using InvokeHTTP in my flow.
  5. This means configuring an instance of Standard[Restricted]SSLContextService.
  6. The SSL context service insists on a defined key store with key password and key store password.
  7. The SSL context service insists on a defined trust store. The best I have been able to do is to roll the key store certificate into a trust store.
  8. When either key- or trust store file is missing, the SSL context service complains that a resource is missing (for key store or trust store).
  9. Once both files/resources exist, all three passwords appear crucial.
  10. Despite password used to create key and certificates, it is always wrong according to SSL context service validator which consistently issues:

Keystore Properties is invalid because invalid keystore password or type specified for file __________.
Truststore Properties is invalid because invalid truststore password or type specified for file __________.

It would be nice to see a step-by-step illustration of creating the key, key store and trust store artifacts required by SSL context service and perhaps the full configuration of the SSL context service.

Other notes:

  1. I seem to get pretty far toward a solution using Java's keytool.
  2. I don't get very far using openssl.
  3. I get even less traction trying to use NiFi's TLS toolkit to solve this.
  4. I guess I could simply write my own SSL context service that doesn't require a trust store?

Huge thanks for any help or comments.

And now the answers...