Importing Certificates into the Java Keystore

This one is quick. My experience with Java is fairly minimal, and I was looking for the correct method of importing a self-signed certificate into the Java keystore, mainly so NiFi would play nice with another server. Simple enough:

openssl s_client -showcerts -connect ip_or_hostname:port </dev/null 2>/dev/null|openssl x509 -outform PEM > /tmp/server.pem
keytool -import -v -trustcacerts -alias `cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1` -file /tmp/server.pem -keystore /etc/ssl/certs/java/cacerts -keypass changeit -storepass changeit

Fetching and Importing the Certificate

This is for Ubuntu 20.04 with OpenJDK 11, so there's a chance that the location is different on your distribution. You can also pass the following flags to Java so that it doesn't check revociation:

-Dcom.sun.net.ssl.checkRevocation=false

Disable Cert Checking

This also wouldn't be complete without describing the settings for the StandardRestrictedSSLContextService controller service on Apache NiFi. Keep in mind the default password is actually changeit by default.

Keystore Filename: /etc/ssl/certs/java/cacerts
Keystore Password: changeit
Key Password: changeit
Keystore Type: JKS
Truststore Filename: /etc/ssl/certs/java/cacerts
Truststore Password: changeit
Truststore Type: JKS

StandardRestrictedSSLContextService controller service settings.

UI Screenshot of the settings.

Happy Java...ing? I don't know what Java people say to each other. It's the thought that counts.