Integrating with the Windows certificate store

Manual setup of the client and server certificates on the MiNiFi side:

nifi.remote.input.secure=true
nifi.security.need.ClientAuth=true
nifi.security.client.certificate=C:\opt\nifi\data\ssl\client-certificate.pem
nifi.security.client.private.key=C:\opt\nifi\data\ssl\client-certificate.key
#nifi.security.client.pass.phrase=
nifi.security.client.ca.certificate=C:\opt\nifi\data\ssl\server-certificate.pem
#nifi.security.use.system.cert.store=

If both client and server certificates are in the LocalMachine (= "Local Computer") system certificate store (in MY = "Personal" and ROOT = "Trusted Root Certification Authorities", respectively), then you can simply do:

nifi.remote.input.secure=true
nifi.security.need.ClientAuth=true
#nifi.security.client.certificate=
#nifi.security.client.private.key=
#nifi.security.client.pass.phrase=
#nifi.security.client.ca.certificate=
nifi.security.use.system.cert.store=true

If you need to select the client certificate by CN, you can add the following property:

nifi.security.windows.client.cert.cn=<myCertificateIssuedToName>

If you need to select the client certificate by Extended (= "Enhanced") Key Usage, you can add the following property:

nifi.security.windows.client.cert.key.usage=Client Authentication, Server Authentication

You can also use a different system store location or a different system store for the client and server certificates, if needed:

# instead of LocalMachine
nifi.security.windows.cert.store.location=CurrentUser

# instead of MY
nifi.security.windows.client.cert.store=TrustedPeople

# instead of ROOT
nifi.security.windows.server.cert.store=TrustedPublisher