Integrating with the Windows certificate store

Learn how to enable MiNiFi C++ to get certificates from truststore of the OS.

If you want MiNiFi to communicate with (C2) securely using HTTPS, you need a server certificate that the uses to identify itself and a client certificate that MiNiFi uses to identify itself, as well as a private key corresponding to the client certificate.

Manual setup of the client and server certificates on the MiNiFi side:
nifi.remote.input.secure=true
nifi.security.need.ClientAuth=true
nifi.security.client.certificate=C:\opt\nifi\data\ssl\client-certificate.pem
nifi.security.client.private.key=C:\opt\nifi\data\ssl\client-certificate.key
#nifi.security.client.pass.phrase=
nifi.security.client.ca.certificate=C:\opt\nifi\data\ssl\server-certificate.pem
#nifi.security.use.system.cert.store=
If both client and server certificates are in the LocalMachine (= "Local Computer") system certificate store (in MY = "Personal" and ROOT = "Trusted Root Certification Authorities", respectively), then you can simply do:
nifi.remote.input.secure=true
nifi.security.need.ClientAuth=true
#nifi.security.client.certificate=
#nifi.security.client.private.key=
#nifi.security.client.pass.phrase=
#nifi.security.client.ca.certificate=
nifi.security.use.system.cert.store=true

Ensure that the client certificate is exportable.

If you need to select the client certificate by CN, you can add the following property:
nifi.security.windows.client.cert.cn=<myCertificateIssuedToName>
If you need to select the client certificate by Extended (= "Enhanced") Key Usage, you can add the following property:
nifi.security.windows.client.cert.key.usage=Client Authentication, Server Authentication
You can also use a different system store location or a different system store for the client and server certificates, if needed:
# instead of LocalMachine
nifi.security.windows.cert.store.location=CurrentUser

# instead of MY
nifi.security.windows.client.cert.store=TrustedPeople

# instead of ROOT
nifi.security.windows.server.cert.store=TrustedPublisher