Additional Certificate Commands

  1. To convert from DER encoded public certificate (cert.der) to PEM encoded (cert.pem):

    • If the DER file contains both the public certificate and private key, remove the private key with this command:

      • perl -pe 'BEGIN{undef $/;} s|-----BEGIN PRIVATE KEY-----.*?-----END PRIVATE KEY-----|Removed private key|gs' cert.der > cert.pem

    • If the DER file only contains the public certificate, use this command:

      • openssl x509 -inform der -in cert.der -out cert.pem

  2. To convert from a PKCS12 keystore (keystore.p12) containing both the public certificate and private key into PEM encoded files ($PASSWORD is the keystore password):

    • openssl pkcs12 -in keystore.p12 -nodes -clcerts -nokeys -out cert.pem -password "pass:$PASSWORD"

    • openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.key -password "pass:$PASSWORD"

  3. To convert from a Java Keystore (keystore.jks) containing private key into PEM encoded files ($P12_PASSWORD is the PKCS12 keystore password, $JKS_PASSWORD is the Java keystore password you want to set, and $ALIAS can be any value - the NiFi default is nifi-key):

    • keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -destkeypass "$P12_PASSWORD" -deststorepass "$P12_PASSWORD" -srcstorepass "$JKS_PASSWORD" -srcalias "$ALIAS" -destalias "$ALIAS"

    • Follow the steps above to convert from keystore.p12 to cert.pem and key.key

  4. To convert from PKCS #8 PEM format to PKCS #1 PEM format:

    • If the private key is provided in PKCS #8 format (the file begins with -----BEGIN PRIVATE KEY----- rather than -----BEGIN RSA PRIVATE KEY-----), the following command will convert it to PKCS #1 format, move the original to nifi-key-pkcs8.key, and rename the PKCS #1 version as nifi-key.key:

      • openssl rsa -in nifi-key.key -out nifi-key-pkcs1.key && mv nifi-key.key nifi-key-pkcs8.key && mv nifi-key-pkcs1.key nifi-key.key

  5. To combine a private key in PEM format (private.key) and public certificate in PEM format (certificate.pem) into PKCS12 keystore:

    • The following command will create the PKCS12 keystore (keystore.p12) from the two independent files. A Java keystore (JKS) cannot be formed directly from the PEM files:

      • openssl pkcs12 -export -out keystore.p12 -inkey private.key -in certificate.pem

  6. To convert a PKCS12 keystore (keystore.p12) to JKS keystore (keystore.jks):

    • The following command will create the JKS keystore (keystore.jks). The -destalias flag is optional, as NiFi does not currently read from a specific alias in the keystore. The user will be prompted for a keystore password, which must be set and have minimum 8 characters, and a key password, which can be the same as the keystore password or different:

      • keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -destalias nifi-key