Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2927#discussion_r207631101
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -281,6 +281,272 @@ After running the client you will have the CAâs
certificate, a keystore, a tru
For a client certificate that can be easily imported into the browser,
specify: `-T PKCS12`
+==== Using An Existing Intermediate Certificate Authority (CA)
+
+In some enterprise scenarios, a security/IT team may provide a signing
certificate that has already been signed by the organization's certificate
authority (CA). This *intermediate CA* can be used to sign the *node*
(sometimes referred to as *leaf*) certificates that will be installed on each
NiFi node. In order to inject the existing signing certificate into the toolkit
process, follow these steps:
--- End diff --
Yes, if the *root CA* signs *old/current intermediate CA* and *new CA*, and
*root CA* is in the NiFi truststore, then certificates signed by both *old
intermediate CA* and *new CA* will be trusted. You can read more about CA
rollover in [IETF RFC 6489](https://tools.ietf.org/html/rfc6489).
Currently we do not and have no plans to insert the *root CA* certificate
into the truststore. This will require new feature work if it is desired.
---
