Github user pepov commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2927#discussion_r206455131
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -281,6 +281,272 @@ After running the client you will have the CAâs
certificate, a keystore, a tru
For a client certificate that can be easily imported into the browser,
specify: `-T PKCS12`
+==== Using An Existing Intermediate Certificate Authority (CA)
+
+In some enterprise scenarios, a security/IT team may provide a signing
certificate that has already been signed by the organization's certificate
authority (CA). This *intermediate CA* can be used to sign the *node*
(sometimes referred to as *leaf*) certificates that will be installed on each
NiFi node. In order to inject the existing signing certificate into the toolkit
process, follow these steps:
+
+. Generate or obtain the signed intermediate CA keys in the following
format (see additional commands below):
+ * Public certificate in PEM format: `nifi-cert.pem`
+ * Private key in PEM format: `nifi-key.key`
+. Place the files in the *toolkit directory*. This is the directory where
the tool binary (usually called via the invoking script `tls-toolkit.sh` or
`tls-toolkit.bat`) is configured to output the signed certificates. *This is
not necessarily the directory where the binary is located or invoked*.
--- End diff --
At first it was a bit hard for me to understand. Maybe it could be reworded
to be simpler by just saying that we can run the toolkit from the directory
where the nifi-cert.pem and nifi-key.key files are located and the certs will
be generated under the same directory.
Optionally the toolkit can be run from any directory by specifing the path
of the nifi-cert.pem and nifi-key.key files and the target directory with a
single `-o` flag.
---
