Restricted implementation of the SSLContextService. Provides the ability to configure keystore and/or truststore properties once and reuse that configuration throughout the application, but only allows a restricted set of TLS/SSL protocols to be chosen (no SSL protocols are supported). The set of protocols selectable will evolve over time as new protocols emerge and older protocols are deprecated. This service is recommended over StandardSSLContextService if a component doesn't expect to communicate with legacy systems since it is unlikely that legacy systems will support these protocols.


tls, ssl, secure, certificate, keystore, truststore, jks, p12, pkcs12, pkcs


In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property is considered "sensitive", meaning that its value will be encrypted. Before entering a value in a sensitive property, ensure that the file has an entry for the property nifi.sensitive.props.key.

NameDefault ValueAllowable ValuesDescription
Keystore FilenameThe fully-qualified filename of the Keystore
Keystore PasswordThe password for the Keystore
Sensitive Property: true
Key PasswordThe password for the key. If this is not specified, but the Keystore Filename, Password, and Type are specified, then the Keystore Password will be assumed to be the same as the Key Password.
Sensitive Property: true
Keystore Type
  • PKCS12
  • JKS
The Type of the Keystore
Truststore FilenameThe fully-qualified filename of the Truststore
Truststore PasswordThe password for the Truststore
Sensitive Property: true
Truststore Type
  • PKCS12
  • JKS
The Type of the Truststore
TLS ProtocolTLS
  • TLS
  • TLSv1.2
The algorithm to use for this TLS/SSL context. "TLS" will instruct NiFi to allow all supported protocol versions and choose the highest available protocol for each connection. Java 8 enabled TLSv1.2, which is now the lowest version supported for incoming connections. Java 11 enabled TLSv1.3. Depending on the version of Java NiFi is running on, different protocol versions will be available. With "TLS" selected, as new protocol versions are made available, NiFi will automatically select them. It is recommended unless a specific protocol version is needed. On Java 11, for example, TLSv1.3 will be the default, but if a client does not support it, TLSv1.2 will be offered as a fallback. TLSv1.0 and TLSv1.1 are not supported at all.

State management:

This component does not store state.


This component is not restricted.

System Resource Considerations:

None specified.