[
https://issues.apache.org/jira/browse/NIFI-2476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15410345#comment-15410345
]
Andy LoPresto commented on NIFI-2476:
-------------------------------------
Upon further use, I think the tool should provide a flag to allow a custom
client certificate to be generated and signed by the CA certificate. Prompt for
the desired user name (CN), and form a key and complete certificate (only valid
for EKU clientAuth), and output these files independently and wrapped in a
PKCS12 keystore. The tool makes it easy to secure the nodes but access is only
available at that time via client certificate, LDAP, and/or Kerberos
authentication, and for rapid deployment, a client certificate is essential.
Continually re-importing the CA certificate into the Keychain to use as a
client cert is impractical, tedious, and negatively affects the attack surface
of the CA certificate.
> Further refine tls-toolkit based on feedback gathered during beta
> -----------------------------------------------------------------
>
> Key: NIFI-2476
> URL: https://issues.apache.org/jira/browse/NIFI-2476
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Bryan Rosander
> Assignee: Bryan Rosander
>
> The basic functionality of generating keystores, truststores,
> nifi.properties, and a configuration json is implemented.
> As people start using this tool to ease the tls setup process in NiFi,
> shortcomings in the initial implementation will need to be addressed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
