[jira] [Commented] (NIFI-5473) Add documentation for using intermediate CA with TLS toolkit

Fri, 03 Aug 2018 11:32:14 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16568592#comment-16568592
 ] 

ASF GitHub Bot commented on NIFI-5473:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2927#discussion_r207631101
  
    --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
    @@ -281,6 +281,272 @@ After running the client you will have the CA’s 
certificate, a keystore, a tru
     
     For a client certificate that can be easily imported into the browser, 
specify: `-T PKCS12`
     
    +==== Using An Existing Intermediate Certificate Authority (CA)
    +
    +In some enterprise scenarios, a security/IT team may provide a signing 
certificate that has already been signed by the organization's certificate 
authority (CA). This *intermediate CA* can be used to sign the *node* 
(sometimes referred to as *leaf*) certificates that will be installed on each 
NiFi node. In order to inject the existing signing certificate into the toolkit 
process, follow these steps:
    --- End diff --
    
    Yes, if the *root CA* signs *old/current intermediate CA* and *new CA*, and 
*root CA* is in the NiFi truststore, then certificates signed by both *old 
intermediate CA* and *new CA* will be trusted. You can read more about CA 
rollover in [IETF RFC 6489](https://tools.ietf.org/html/rfc6489). 
    
    Currently we do not and have no plans to insert the *root CA* certificate 
into the truststore. This will require new feature work if it is desired. 


> Add documentation for using intermediate CA with TLS toolkit
> ------------------------------------------------------------
>
>                 Key: NIFI-5473
>                 URL: https://issues.apache.org/jira/browse/NIFI-5473
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Documentation & Website, Security, Tools and Build
>    Affects Versions: 1.7.1
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Major
>              Labels: certificate, documentation, security, tls, tls-toolkit
>             Fix For: 1.8.0
>
>
> With some manual work, the TLS toolkit can be used with a pre-existing 
> certificate and private key that has been signed by an organization's 
> certificate authority (CA) to sign toolkit-generated certificates. The Admin 
> Guide should be improved to cover the necessary steps. 
> When the separate "Security Guide" / "Toolkit Guide" is created, this content 
> should be migrated there. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to