[
https://issues.apache.org/jira/browse/NIFI-3750?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andre F de Miranda updated NIFI-3750:
-------------------------------------
Summary: tls-toolkit should support x.509 nameConstraints (was:
tls-toolkit should support x.509 nameConstrains)
> tls-toolkit should support x.509 nameConstraints
> ------------------------------------------------
>
> Key: NIFI-3750
> URL: https://issues.apache.org/jira/browse/NIFI-3750
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Andre F de Miranda
>
> given the growing acceptance of namedConstraints in the browser space, it
> would be great if tls-toolkit certificates used the extension.
> nameConstraints are an extension to x.509 that allow CA certificates to be
> constrained on the range the subjects they can "certify". One could for
> example, restrict certificates by the nifinode00.nifi.lab.example.com" to
> only issue certificates to "*.nifi.lab.example.com"
> Consequentially the main rationale to use this technique is to allow users to
> install the tls-toolkit issued CA on browsers, knowing that that trusted CA
> can only be used to issue certificates to subjects within the
> "nifi.lab.example.com" namespace.
> Once this is implemented, we could then consider both NiFi nodes and MiNiFi
> agents against a beefed version of tls-toolkit (via shared secret +
> approval), greatly reducing dependency on external certificates, without
> compromising the gains the toolkit offers to the customer base.
> https://tools.ietf.org/html/rfc5280#section-4.2.1.10
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
