[jira] [Commented] (NIFI-2943) tls-toolkit pkcs12 truststore 0 entries

Tue, 15 Nov 2016 11:32:18 -0800 

    [ 
https://issues.apache.org/jira/browse/NIFI-2943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15668026#comment-15668026
 ] 

ASF GitHub Bot commented on NIFI-2943:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1165#discussion_r88094393
  
    --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
    @@ -174,6 +174,8 @@ TLS Generation Toolkit
     
     In order to facilitate the secure setup of NiFi, you can use the 
`tls-toolkit` command line utility to automatically generate the required 
keystores, truststore, and relevant configuration files. This is especially 
useful for securing multiple NiFi nodes, which can be a tedious and error-prone 
process.
     
    +Note: JKS keyStores and trustStores are recommended for NiFi.  This tool 
allows the specification of other KeyStore types on the command line but will 
ignore a type of PKCS12 for use as the trustStore as that format has some 
compatibility issues between BouncyCastle and Oracle implementations.
    --- End diff --
    
    To be consistent with the rest of the documentation, "keystore" and 
"truststore" should be capitalized as such.  


> tls-toolkit pkcs12 truststore 0 entries
> ---------------------------------------
>
>                 Key: NIFI-2943
>                 URL: https://issues.apache.org/jira/browse/NIFI-2943
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Bryan Rosander
>            Assignee: Bryan Rosander
>            Priority: Minor
>
> When pkcs12 is used by the tls-toolkit, the resulting truststore has no 
> entries when inspected by the keytool and the tls-toolkit certificate 
> authority certificate is not trusted by NiFi.
> This seems to be due to the Java pkcs12 provider not supporting certificate 
> entries:
> http://stackoverflow.com/questions/3614239/pkcs12-java-keystore-from-ca-and-user-certificate-in-java#answer-3614405
> The Bouncy Castle provider does seem to support certificates but we may not 
> want to explicitly use that provider from within NiFi.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to