Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2042
Verified that all tests and contrib-check pass. When run with no SAN
arguments, the CN is present as a SAN. When run with additional SAN arguments,
all are present. +1, merging.
No SAN:
```
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
(pr2042) alopresto
ð 186058s @ 18:43:33 $ ./bin/tls-toolkit.sh standalone -n
'nifi.nifi.apache.org' -P password -S password -f
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
2017/08/09 18:58:45 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: Using
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
as template.
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone
certificate generation with output directory ../nifi-toolkit-1.4.0-SNAPSHOT
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generated new CA
certificate ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-cert.pem and key
../nifi-toolkit-1.4.0-SNAPSHOT/nifi-key.key
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl
configuration to ../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
generated TLS configuration for nifi.nifi.apache.org 1 in
../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn
specified, not generating any client certificates.
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
(pr2042) alopresto
ð 186980s @ 18:58:55 $ cd nifi.nifi.apache.org/
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
(pr2042) alopresto
ð 186988s @ 18:59:03 $ keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Aug 9, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nifi.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9dd8f3900000000
Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
Certificate fingerprints:
MD5: E4:E8:C4:19:C1:06:86:17:C8:E5:13:F6:6F:54:0F:AE
SHA1: 92:6B:FD:9D:89:55:A5:48:AD:31:A3:FD:A3:A6:6C:A5:C4:A8:31:0E
SHA256:
54:8D:30:D2:ED:9A:B0:AE:8C:37:40:9F:2F:80:2D:4A:DC:5D:14:2E:15:57:4C:71:CF:77:D6:F0:3F:92:6D:04
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi.nifi.apache.org
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D9 18 43 B3 38 24 18 89 E6 1B 62 D7 AB 35 C5 14 ..C.8$....b..5..
0010: 88 E9 19 E3 ....
]
]
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9dd8d4c00000000
Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
Certificate fingerprints:
MD5: A1:9E:4A:7C:65:F1:B7:E9:8F:4D:D0:18:74:E8:AA:2E
SHA1: CD:31:8B:74:85:C7:21:4A:DB:F6:58:34:69:B7:19:6C:3B:9E:CE:00
SHA256:
A9:AB:C5:73:9D:B3:ED:C3:D5:79:BD:4B:E0:14:1D:0F:DC:68:41:BC:09:70:5B:2D:BD:E0:AB:49:55:14:79:3B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
*******************************************
*******************************************
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
(pr2042) alopresto
ð 186999s @ 18:59:14 $
```
Additional SAN:
```
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
(pr2042) alopresto
ð 187123s @ 19:01:18 $ ./bin/tls-toolkit.sh standalone -n
'nifi.nifi.apache.org' -P password -S password -f
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
-O --subjectAlternativeNames '127.0.0.1,localhost'
2017/08/09 19:01:43 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: Using
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
as template.
2017/08/09 19:01:43 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone
certificate generation with output directory ../nifi-toolkit-1.4.0-SNAPSHOT
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA
certificate ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-cert.pem and key
../nifi-toolkit-1.4.0-SNAPSHOT/nifi-key.key
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Overwriting any
existing ssl configuration in
../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
generated TLS configuration for nifi.nifi.apache.org 1 in
../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn
specified, not generating any client certificates.
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
(pr2042) alopresto
ð 187150s @ 19:01:45 $ cd nifi.nifi.apache.org/
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
(pr2042) alopresto
ð 187156s @ 19:01:51 $ keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Aug 9, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nifi.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9e0465100000000
Valid from: Wed Aug 09 19:01:44 PDT 2017 until: Sat Aug 08 19:01:44 PDT 2020
Certificate fingerprints:
MD5: AA:D1:5F:CC:BA:BE:ED:4D:5E:08:DB:2E:6D:E6:95:57
SHA1: F3:8B:A5:41:28:69:8F:0C:91:08:70:EB:F6:BE:B1:58:EE:F4:7B:8D
SHA256:
B1:78:8C:05:11:F1:A8:BD:A7:33:EA:8D:9C:B2:FC:A2:C2:94:7D:30:48:77:0A:05:0F:CB:C1:FD:5D:A2:94:66
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi.nifi.apache.org
DNSName: 127.0.0.1
DNSName: localhost
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8F 4B 1A 98 92 C5 17 70 B7 C8 F6 9D 5D D3 66 4C .K.....p....].fL
0010: 8F F9 3C 19 ..<.
]
]
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9dd8d4c00000000
Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
Certificate fingerprints:
MD5: A1:9E:4A:7C:65:F1:B7:E9:8F:4D:D0:18:74:E8:AA:2E
SHA1: CD:31:8B:74:85:C7:21:4A:DB:F6:58:34:69:B7:19:6C:3B:9E:CE:00
SHA256:
A9:AB:C5:73:9D:B3:ED:C3:D5:79:BD:4B:E0:14:1D:0F:DC:68:41:BC:09:70:5B:2D:BD:E0:AB:49:55:14:79:3B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
*******************************************
*******************************************
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
(pr2042) alopresto
ð 187163s @ 19:01:57 $
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
