[GitHub] nifi pull request #2927: NIFI-5473 Added section on using external signed CA...

[pepov]

Github user pepov commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2927#discussion_r206455424
  
    --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
    @@ -281,6 +281,272 @@ After running the client you will have the CA’s 
certificate, a keystore, a tru
     
     For a client certificate that can be easily imported into the browser, 
specify: `-T PKCS12`
     
    +==== Using An Existing Intermediate Certificate Authority (CA)
    +
    +In some enterprise scenarios, a security/IT team may provide a signing 
certificate that has already been signed by the organization's certificate 
authority (CA). This *intermediate CA* can be used to sign the *node* 
(sometimes referred to as *leaf*) certificates that will be installed on each 
NiFi node. In order to inject the existing signing certificate into the toolkit 
process, follow these steps:
    +
    +. Generate or obtain the signed intermediate CA keys in the following 
format (see additional commands below):
    +  * Public certificate in PEM format: `nifi-cert.pem`
    +  * Private key in PEM format: `nifi-key.key`
    +. Place the files in the *toolkit directory*. This is the directory where 
the tool binary (usually called via the invoking script `tls-toolkit.sh` or 
`tls-toolkit.bat`) is configured to output the signed certificates. *This is 
not necessarily the directory where the binary is located or invoked*. 
    +  * For example, given the following scenario, the toolkit command can be 
run from its location as long as the output directory `-o` is `../hardcoded/`, 
and the existing `nifi-cert.pem` and `nifi-key.key` will be used.  
    +  ** e.g. `$ ./toolkit/bin/tls-toolkit.sh standalone -o ./hardcoded/ -n 
'node4.nifi.apache.org' -P thisIsABadPassword -S thisIsABadPassword -O` will 
result in a new directory at `./hardcoded/node4.nifi.apache.org` with a 
keystore and truststore containing a certificate signed by 
`./hardcoded/nifi-key.key`  
    +  * If the `-o` argument is not provided, the default working directory 
(`.`) must contain `nifi-cert.pem` and `nifi-key.key`
    +  ** e.g. `$ cd ./hardcoded/ && ../toolkit/bin/tls-toolkit.sh standalone 
-n 'node5.nifi.apache.org' -P thisIsABadPassword -S thisIsABadPassword -O` 
    +
    +```
    +🔓 0s @ 18:07:58 $ tree -L 2
    +.
    +├── hardcoded
    +│   ├── CN=myusername.hardcoded_OU=NiFi.p12
    --- End diff --
    
    there is no flags in the example commands indicating that client certs are 
generated here, so it may be confusing to see this without additional info


---