[jira] [Commented] (NIFI-15146) Cluster Security: TLS Client Authentication Deprecated (EKU)

Tue, 28 Oct 2025 12:01:44 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18033661#comment-18033661
 ] 

Bill Kinzel commented on NIFI-15146:
------------------------------------

Hi David,

I'm no expert in this area, but how about using two separate , publicly trusted 
certs per node:

 

*One server-only cert (with Server Authentication EKU only) — for inbound 
HTTPS/UI and cluster listener*
*One client-only cert  (with Client Authentication EKU only) — for outbound 
node-to-node mTLS connections*


This is fully compliant with the new CA/B Forum and Chrome Root Program rules 
(post-2026), because:

Public CAs will still issue certificates with Client Authentication EKU, just 
not in the same cert as Server Auth.
...bypassing EKU checks, still satisfying them correctly with purpose-specific 
certs

*# Server side (inbound)*
nifi.web.https.port=8443
nifi.security.keystore=./conf/server-keystore.jks    # Server Auth EKU only
nifi.security.truststore=./conf/truststore.jks

*# Client side (outbound mTLS to other nodes)*
nifi.cluster.node.client.keystore=./conf/client-keystore.jks  # Client Auth EKU 
only
nifi.cluster.node.client.keystorePasswd=...

> Cluster Security:  TLS Client Authentication Deprecated (EKU)
> -------------------------------------------------------------
>
>                 Key: NIFI-15146
>                 URL: https://issues.apache.org/jira/browse/NIFI-15146
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.6.0
>            Reporter: Bill Kinzel
>            Priority: Major
>
> We operate a three-node cluster using a publicly-trusted CA (DigiCert).  
> We’ve learned that many public CAs are phasing out inclusion of the _Client 
> Authentication_ EKU (Extended Key Usage) in publicly-trusted TLS 
> certificates.  Are there any plans underway to support node auth under this 
> new paradigm?  I know a private CA is an alternative, but not an option for 
> us right now. 
>  For more detailed information, you can visit our [knowledge 
> article|https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to