[GitHub] nifi pull request #2927: NIFI-5473 Added section on using external signed CA...

[alopresto]

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2927#discussion_r206661946
  
    --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
    @@ -281,6 +281,272 @@ After running the client you will have the CA’s 
certificate, a keystore, a tru
     
     For a client certificate that can be easily imported into the browser, 
specify: `-T PKCS12`
     
    +==== Using An Existing Intermediate Certificate Authority (CA)
    +
    +In some enterprise scenarios, a security/IT team may provide a signing 
certificate that has already been signed by the organization's certificate 
authority (CA). This *intermediate CA* can be used to sign the *node* 
(sometimes referred to as *leaf*) certificates that will be installed on each 
NiFi node. In order to inject the existing signing certificate into the toolkit 
process, follow these steps:
    +
    +. Generate or obtain the signed intermediate CA keys in the following 
format (see additional commands below):
    +  * Public certificate in PEM format: `nifi-cert.pem`
    +  * Private key in PEM format: `nifi-key.key`
    +. Place the files in the *toolkit directory*. This is the directory where 
the tool binary (usually called via the invoking script `tls-toolkit.sh` or 
`tls-toolkit.bat`) is configured to output the signed certificates. *This is 
not necessarily the directory where the binary is located or invoked*. 
    +  * For example, given the following scenario, the toolkit command can be 
run from its location as long as the output directory `-o` is `../hardcoded/`, 
and the existing `nifi-cert.pem` and `nifi-key.key` will be used.  
    +  ** e.g. `$ ./toolkit/bin/tls-toolkit.sh standalone -o ./hardcoded/ -n 
'node4.nifi.apache.org' -P thisIsABadPassword -S thisIsABadPassword -O` will 
result in a new directory at `./hardcoded/node4.nifi.apache.org` with a 
keystore and truststore containing a certificate signed by 
`./hardcoded/nifi-key.key`  
    +  * If the `-o` argument is not provided, the default working directory 
(`.`) must contain `nifi-cert.pem` and `nifi-key.key`
    +  ** e.g. `$ cd ./hardcoded/ && ../toolkit/bin/tls-toolkit.sh standalone 
-n 'node5.nifi.apache.org' -P thisIsABadPassword -S thisIsABadPassword -O` 
    +
    +```
    +🔓 0s @ 18:07:58 $ tree -L 2
    +.
    +├── hardcoded
    +│   ├── CN=myusername.hardcoded_OU=NiFi.p12
    +│   ├── CN=myusername.hardcoded_OU=NiFi.password
    +│   ├── nifi-cert.pem
    +│   ├── nifi-key.key
    +│   ├── node1.nifi.apache.org
    +│   ├── node2.nifi.apache.org
    +│   └── node3.nifi.apache.org
    +└── toolkit
    +    ├── LICENSE
    +    ├── NOTICE
    +    ├── README
    +    ├── bin
    +    ├── conf
    +    ├── docs
    +    └── lib
    +```
    +
    +===== Additional Commands
    +
    +The `nifi-cert.pem` and `nifi-key.key` files should be ASCII-armored 
(Base64-encoded ASCII) files containing the CA public certificate and private 
key respectively. Examples:
    --- End diff --
    
    Do you mean dive into what the X509 structure contains? I think that falls 
outside the scope of this document. If someone is concerned with that, they 
probably don't need this guide. 


---