Github user andrewmlim commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2927#discussion_r206584091
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -281,6 +281,272 @@ After running the client you will have the CAâs
certificate, a keystore, a tru
For a client certificate that can be easily imported into the browser,
specify: `-T PKCS12`
+==== Using An Existing Intermediate Certificate Authority (CA)
+
+In some enterprise scenarios, a security/IT team may provide a signing
certificate that has already been signed by the organization's certificate
authority (CA). This *intermediate CA* can be used to sign the *node*
(sometimes referred to as *leaf*) certificates that will be installed on each
NiFi node. In order to inject the existing signing certificate into the toolkit
process, follow these steps:
+
+. Generate or obtain the signed intermediate CA keys in the following
format (see additional commands below):
+ * Public certificate in PEM format: `nifi-cert.pem`
+ * Private key in PEM format: `nifi-key.key`
+. Place the files in the *toolkit directory*. This is the directory where
the tool binary (usually called via the invoking script `tls-toolkit.sh` or
`tls-toolkit.bat`) is configured to output the signed certificates. *This is
not necessarily the directory where the binary is located or invoked*.
+ * For example, given the following scenario, the toolkit command can be
run from its location as long as the output directory `-o` is `../hardcoded/`,
and the existing `nifi-cert.pem` and `nifi-key.key` will be used.
+ ** e.g. `$ ./toolkit/bin/tls-toolkit.sh standalone -o ./hardcoded/ -n
'node4.nifi.apache.org' -P thisIsABadPassword -S thisIsABadPassword -O` will
result in a new directory at `./hardcoded/node4.nifi.apache.org` with a
keystore and truststore containing a certificate signed by
`./hardcoded/nifi-key.key`
+ * If the `-o` argument is not provided, the default working directory
(`.`) must contain `nifi-cert.pem` and `nifi-key.key`
+ ** e.g. `$ cd ./hardcoded/ && ../toolkit/bin/tls-toolkit.sh standalone
-n 'node5.nifi.apache.org' -P thisIsABadPassword -S thisIsABadPassword -O`
+
+```
+ð 0s @ 18:07:58 $ tree -L 2
+.
+âââ hardcoded
+â  âââ CN=myusername.hardcoded_OU=NiFi.p12
+â  âââ CN=myusername.hardcoded_OU=NiFi.password
+â  âââ nifi-cert.pem
+â  âââ nifi-key.key
+â  âââ node1.nifi.apache.org
+â  âââ node2.nifi.apache.org
+â  âââ node3.nifi.apache.org
+âââ toolkit
+ Â Â âââ LICENSE
+ Â Â âââ NOTICE
+ Â Â âââ README
+ Â Â âââ bin
+ Â Â âââ conf
+ Â Â âââ docs
+ Â Â âââ lib
+```
+
+===== Additional Commands
+
+The `nifi-cert.pem` and `nifi-key.key` files should be ASCII-armored
(Base64-encoded ASCII) files containing the CA public certificate and private
key respectively. Examples:
+
+```
+# The first command shows the actual content of the encoded file, and the
second parses it and shows the internal values
+
+.../certs $ more nifi-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIKAWTeM3kDAAAAADANBgkqhkiG9w0BAQsFADAxMQ0wCwYD
+VQQLDAROSUZJMSAwHgYDVQQDDBduaWZpLWNhLm5pZmkuYXBhY2hlLm9yZzAeFw0x
+ODA3MjgwMDA0MzJaFw0yMTA3MjcwMDA0MzJaMDExDTALBgNVBAsMBE5JRkkxIDAe
+BgNVBAMMF25pZmktY2EubmlmaS5hcGFjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAqkVrrC+AkFbjnCpupSy84tTFDsRVUIWYj/k2pVwC145M
+3bpr0pRCzLuzovAjFCmT5L+isTvNjhionsqif07Ebd/M2psYE/Rih2MULsX6KgRe
+1nRUiBeKF08hlmSBMGDFPj39yDzE/V9edxV/KGjRqVgw/Qy0vwaS5uWdXnLDhzoV
+4/Mz7lGmYoMasZ1uexlH93jjBl1+EFL2Xoa06oLbEojJ9TKaWhpG8ietEedf7WM0
+zqBEz2kHo9ddFk9yxiCkT4SUKnDWkhwc/o6us1vEXoSw+tmufHY/A3gVihjWPIGz
+qyLFl9JuN7CyJepkVVqTdskBG7S85G/kBlizUj5jOwIDAQABo38wfTAOBgNVHQ8B
+Af8EBAMCAf4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUKiWBKbMMQ1zUabD4gI7L
+VOWOcy0wHwYDVR0jBBgwFoAUKiWBKbMMQ1zUabD4gI7LVOWOcy0wHQYDVR0lBBYw
+FAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQAxfHFIZLOw
+mwIqnSI/ir8f/uzDMq06APHGdhdeIKV0HR74BtK95KFg42zeXxAEFeic98PC/FPV
+tKpm2WUa1slMB+oP27cRx5Znr2+pktaqnM7f2JgMeJ8bduNH3RUkr9jwgkcJRwyC
+I4fwHC9k18aizNdOf2q2UgQXxNXaLYPe17deuNVwwrflMgeFfVrwbT2uPJTMRi1D
+FQyc6haF4vsOSSRzE6OyDoc+/1PpyPW75OeSXeVCbc3AEAvRuTZMBQvBQUqVM51e
+MDG+K3rCeieSBPOnGNrEC/PiA/CvaMXBEog+xPAw1SgYfuCz4rlM3BdRa54z3+oO
+lc8xbzd7w8Q3
+-----END CERTIFICATE-----
+.../certs $ openssl x509 -in nifi-cert.pem -text -noout
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 01:64:de:33:79:03:00:00:00:00
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: OU=NIFI, CN=nifi-ca.nifi.apache.org
+ Validity
+ Not Before: Jul 28 00:04:32 2018 GMT
+ Not After : Jul 27 00:04:32 2021 GMT
+ Subject: OU=NIFI, CN=nifi-ca.nifi.apache.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:aa:45:6b:ac:2f:80:90:56:e3:9c:2a:6e:a5:2c:
+ bc:e2:d4:c5:0e:c4:55:50:85:98:8f:f9:36:a5:5c:
+ 02:d7:8e:4c:dd:ba:6b:d2:94:42:cc:bb:b3:a2:f0:
+ 23:14:29:93:e4:bf:a2:b1:3b:cd:8e:18:a8:9e:ca:
+ a2:7f:4e:c4:6d:df:cc:da:9b:18:13:f4:62:87:63:
+ 14:2e:c5:fa:2a:04:5e:d6:74:54:88:17:8a:17:4f:
+ 21:96:64:81:30:60:c5:3e:3d:fd:c8:3c:c4:fd:5f:
+ 5e:77:15:7f:28:68:d1:a9:58:30:fd:0c:b4:bf:06:
+ 92:e6:e5:9d:5e:72:c3:87:3a:15:e3:f3:33:ee:51:
+ a6:62:83:1a:b1:9d:6e:7b:19:47:f7:78:e3:06:5d:
+ 7e:10:52:f6:5e:86:b4:ea:82:db:12:88:c9:f5:32:
+ 9a:5a:1a:46:f2:27:ad:11:e7:5f:ed:63:34:ce:a0:
+ 44:cf:69:07:a3:d7:5d:16:4f:72:c6:20:a4:4f:84:
+ 94:2a:70:d6:92:1c:1c:fe:8e:ae:b3:5b:c4:5e:84:
+ b0:fa:d9:ae:7c:76:3f:03:78:15:8a:18:d6:3c:81:
+ b3:ab:22:c5:97:d2:6e:37:b0:b2:25:ea:64:55:5a:
+ 93:76:c9:01:1b:b4:bc:e4:6f:e4:06:58:b3:52:3e:
+ 63:3b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Key Usage: critical
+ Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment, Key Agreement, Certificate Sign, CRL Sign
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 2A:25:81:29:B3:0C:43:5C:D4:69:B0:F8:80:8E:CB:54:E5:8E:73:2D
+ X509v3 Authority Key Identifier:
+
keyid:2A:25:81:29:B3:0C:43:5C:D4:69:B0:F8:80:8E:CB:54:E5:8E:73:2D
+
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, TLS Web Server
Authentication
+ Signature Algorithm: sha256WithRSAEncryption
+ 31:7c:71:48:64:b3:b0:9b:02:2a:9d:22:3f:8a:bf:1f:fe:ec:
+ c3:32:ad:3a:00:f1:c6:76:17:5e:20:a5:74:1d:1e:f8:06:d2:
+ bd:e4:a1:60:e3:6c:de:5f:10:04:15:e8:9c:f7:c3:c2:fc:53:
+ d5:b4:aa:66:d9:65:1a:d6:c9:4c:07:ea:0f:db:b7:11:c7:96:
+ 67:af:6f:a9:92:d6:aa:9c:ce:df:d8:98:0c:78:9f:1b:76:e3:
+ 47:dd:15:24:af:d8:f0:82:47:09:47:0c:82:23:87:f0:1c:2f:
+ 64:d7:c6:a2:cc:d7:4e:7f:6a:b6:52:04:17:c4:d5:da:2d:83:
+ de:d7:b7:5e:b8:d5:70:c2:b7:e5:32:07:85:7d:5a:f0:6d:3d:
+ ae:3c:94:cc:46:2d:43:15:0c:9c:ea:16:85:e2:fb:0e:49:24:
+ 73:13:a3:b2:0e:87:3e:ff:53:e9:c8:f5:bb:e4:e7:92:5d:e5:
+ 42:6d:cd:c0:10:0b:d1:b9:36:4c:05:0b:c1:41:4a:95:33:9d:
+ 5e:30:31:be:2b:7a:c2:7a:27:92:04:f3:a7:18:da:c4:0b:f3:
+ e2:03:f0:af:68:c5:c1:12:88:3e:c4:f0:30:d5:28:18:7e:e0:
+ b3:e2:b9:4c:dc:17:51:6b:9e:33:df:ea:0e:95:cf:31:6f:37:
+ 7b:c3:c4:37
+```
+
--- End diff --
Add a section title?
====== nifi-key.key
---
