This one is quick. My experience with Java is fairly minimal, and I was looking for the correct method of importing a self-signed certificate into the Java keystore, mainly so NiFi would play nice with another server. Simple enough:
openssl s_client -showcerts -connect ip_or_hostname:port </dev/null 2>/dev/null|openssl x509 -outform PEM > /tmp/server.pem
keytool -import -v -trustcacerts -alias `cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1` -file /tmp/server.pem -keystore /etc/ssl/certs/java/cacerts -keypass changeit -storepass changeitThis is for Ubuntu 20.04 with OpenJDK 11, so there's a chance that the location is different on your distribution. You can also pass the following flags to Java so that it doesn't check revociation:
-Dcom.sun.net.ssl.checkRevocation=falseThis also wouldn't be complete without describing the settings for the StandardRestrictedSSLContextService controller service on Apache NiFi. Keep in mind the default password is actually changeit by default.
Keystore Filename: /etc/ssl/certs/java/cacerts
Keystore Password: changeit
Key Password: changeit
Keystore Type: JKS
Truststore Filename: /etc/ssl/certs/java/cacerts
Truststore Password: changeit
Truststore Type: JKS
Happy Java...ing? I don't know what Java people say to each other. It's the thought that counts.