[jira] [Commented] (NIFI-8403) Implement Self-Signed Certificate Generation for HTTPS Configuration

Tue, 27 Apr 2021 06:36:07 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-8403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17333238#comment-17333238
 ] 

ASF subversion and git services commented on NIFI-8403:
-------------------------------------------------------

Commit 90c7d03ed385478820fc24f922b550e2327d0565 in nifi's branch 
refs/heads/main from Joe Gresock
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=90c7d03 ]

NIFI-8403: Generating Self-signed cert on startup when applicable (#4986)

* NIFI-8403: Implementing auto-generated certificates for secure startup

* Adding check for passwords in SecureNiFiConfigUtil

> Implement Self-Signed Certificate Generation for HTTPS Configuration
> --------------------------------------------------------------------
>
>                 Key: NIFI-8403
>                 URL: https://issues.apache.org/jira/browse/NIFI-8403
>             Project: Apache NiFi
>          Issue Type: Sub-task
>    Affects Versions: 1.14.0
>            Reporter: David Handermann
>            Assignee: Joseph Gresock
>            Priority: Major
>              Labels: https, pkcs12, security
>             Fix For: 1.14.0
>
>          Time Spent: 3h 40m
>  Remaining Estimate: 0h
>
> Enabling HTTPS through default configuration properties requires the presence 
> of keystore and truststore files.  For default standalone installations, this 
> requires generating a self-signed certificate and private key for storage in 
> a keystore.  The certificate should be stored in a truststore and both files 
> should be placed in a standard location within the NiFi home directory.
> The following requirements should be considered as part of the implementation:
>  * Keystore and Truststore format should be PKCS12
>  * Keystore and Truststore passwords should use secure random generation
>  * The self-signed certificate must contain at least one DNS Subject 
> Alternative Name
> The following implementation questions should be addressed as part of the 
> implementation:
>  * Should the certificate subject always use {{localhost}} or should other 
> host addresses be evaluated and added as subject alternative names?
>  * What is the default expiration for the generated certificate?  Something 
> short should be considered to encourage provisioning a certificate through 
> other means



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to