[ https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398707#comment-15398707 ]
ASF GitHub Bot commented on NIFI-2193: -------------------------------------- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/695#discussion_r72741316 --- Diff: nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy --- @@ -116,53 +132,7 @@ class CertificateUtilsTest extends GroovyTestCase { private static X509Certificate generateCertificate(String dn) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { KeyPair keyPair = generateKeyPair(); - return generateCertificate(dn, keyPair); - } - - /** - * Generates a signed certificate with a specific keypair. - * - * @param dn the DN - * @param keyPair the public key will be included in the certificate and the the private key is used to sign the certificate - * @return the certificate - * @throws IOException - * @throws NoSuchAlgorithmException - * @throws CertificateException - * @throws NoSuchProviderException - * @throws SignatureException - * @throws InvalidKeyException - * @throws OperatorCreationException - */ - private - static X509Certificate generateCertificate(String dn, KeyPair keyPair) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { - PrivateKey privateKey = keyPair.getPrivate(); - ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey); - SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); - Date startDate = new Date(YESTERDAY); - Date endDate = new Date(ONE_YEAR_FROM_NOW); - - X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( - new X500Name(dn), - BigInteger.valueOf(System.currentTimeMillis()), - startDate, endDate, - new X500Name(dn), - subPubKeyInfo); - - // Set certificate extensions - // (1) digitalSignature extension - certBuilder.addExtension(X509Extension.keyUsage, true, - new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement)); - - // (2) extendedKeyUsage extension - Vector<KeyPurposeId> ekUsages = new Vector<>(); - ekUsages.add(KeyPurposeId.id_kp_clientAuth); - ekUsages.add(KeyPurposeId.id_kp_serverAuth); - certBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(ekUsages)); - - // Sign the certificate - X509CertificateHolder certificateHolder = certBuilder.build(sigGen); - return new JcaX509CertificateConverter().setProvider(PROVIDER) - .getCertificate(certificateHolder); + return CertificateUtils.generateSelfSignedX509Certificate(keyPair, dn, SIGNATURE_ALGORITHM, 365); --- End diff -- @brosander and I discussed the need for certificate migration, especially for the CA, and handling the trust chain amongst the nodes. I think if this value (throughout the tool) is increased for now, the additional use cases and logic to handle key/cert rollover can be addressed in a `x.1.x` release. Not ideal, but it is not an easy problem to tackle so close to the current release deadline. > Command Line Keystore and Truststore utility > -------------------------------------------- > > Key: NIFI-2193 > URL: https://issues.apache.org/jira/browse/NIFI-2193 > Project: Apache NiFi > Issue Type: New Feature > Reporter: Bryan Rosander > Assignee: Bryan Rosander > > In order to facilitate secure setup of NiFi, it would be useful to have a > command line utility capable of generating the required keystores, > truststore, and relevant configuration files. > It should be able to generate keystores for each NiFi node, a truststore that > they all use, and relevant passwords and configuration files for using the > keystores and truststore. > Additionally, in order to support distributed deployment, a web based > certificate authority with corresponding client will allow for each NiFi > instance to generate its own keypair and then request signing by the CA. -- This message was sent by Atlassian JIRA (v6.3.4#6332)