Andre F de Miranda created NIFI-3750:
----------------------------------------
Summary: tls-toolkit should support x.509 nameConstrains
Key: NIFI-3750
URL: https://issues.apache.org/jira/browse/NIFI-3750
Project: Apache NiFi
Issue Type: Improvement
Reporter: Andre F de Miranda
given the growing acceptance of namedConstrains in the browser space, it would
be great if tls-toolkit certificates used the extension.
nameConstrains are an extension to x.509 that allow CA certificates to be
constrained on the range the subjects they can "certify". One could for
example, restrict certificates by the nifinode00.nifi.lab.example.com" to only
issue certificates to "*.nifi.lab.example.com"
Consequentially the main rationale to use this technique is to allow users to
install the tls-toolkit issued CA on browsers, knowing that that trusted CA can
only be used to create certificates for subjects within the
"nifi.lab.example.com" namespace.
Once this is implemented, we could then consider both NiFi nodes and MiNiFi
agents against a beefed version of tls-toolkit (via shared secret + approval),
greatly reducing dependency on external certificates, without compromising the
gains the toolkit offers to the customer base.
https://tools.ietf.org/html/rfc5280#section-4.2.1.10
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
