alopresto commented on issue #3457: NIFI-4247 Support ranges in `tls-toolkit` SAN cli option. URL: https://github.com/apache/nifi/pull/3457#issuecomment-489286383 Troy, this looks like great work. I would like to see more explicit unit test cases added, but I understand that the toolkit testing can sometimes be difficult because of the tight coupling with `System.exit()`, etc. I ran a number of scenarios and I've pasted my results below to document. ## Static hostname, no SAN Expected output: 1 generated keystore containing 1 certificate with single hostname and 1 SAN entry (1 hostname) ``` ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 0s @ 19:06:33 $ ./bin/tls-toolkit.sh standalone -n static.nifi.apache.org 2019/05/03 19:06:47 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2019/05/03 19:06:47 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT 2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generated new CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key 2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count. Verify names in resulting certificate. 2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/static.nifi.apache.org 2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for static.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/static.nifi.apache.org 2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates. 2019/05/03 19:06:48 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:06:48 $ keytool -list -v -keystore static.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=static.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: static.nifi.apache.org ] ... ``` ### Notes: * Remove log output that "hostname count does not match SAN count" when no SAN provided ## Static hostname, static SAN Expected output: 1 generated keystore containing 1 certificate with single hostname and 2 SAN entries (1 hostname, 1 alternate name) ``` ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 0s @ 19:09:43 $ ./bin/tls-toolkit.sh standalone -n static.nifi.apache.org --subjectAlternativeName alternative.nifi.apache.org 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/static.nifi.apache.org 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for static.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/static.nifi.apache.org 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates. 2019/05/03 19:10:13 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:10:13 $ keytool -list -v -keystore static.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=static.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: static.nifi.apache.org DNSName: alternative.nifi.apache.org ] ``` ## Dynamic hostname, static SAN Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 static alternate name) ``` ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 0s @ 19:12:23 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative.nifi.apache.org 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates. 2019/05/03 19:12:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:12:44 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node1.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node1.nifi.apache.org DNSName: alternative.nifi.apache.org ] ... ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:13:04 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node2.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node2.nifi.apache.org DNSName: alternative.nifi.apache.org ] ... ``` ## Dynamic hostname, dynamic SAN (same range) Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 (dynamic) SAN) ``` ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 0s @ 19:15:33 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[1-2].nifi.apache.org 2019/05/03 19:15:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using alternate name alternative1.nifi.apache.org with hostname node1.nifi.apache.org. 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using alternate name alternative2.nifi.apache.org with hostname node2.nifi.apache.org. 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates. 2019/05/03 19:15:45 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:15:45 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node1.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node1.nifi.apache.org DNSName: alternative1.nifi.apache.org ] ... ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:15:52 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node2.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node2.nifi.apache.org DNSName: alternative2.nifi.apache.org ] ... ``` ## Dynamic hostname, dynamic SAN (different range values; same range length) Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 (dynamic) SAN) ``` ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 0s @ 19:17:42 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[3-4].nifi.apache.org 2019/05/03 19:17:54 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using alternate name alternative3.nifi.apache.org with hostname node1.nifi.apache.org. 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using alternate name alternative4.nifi.apache.org with hostname node2.nifi.apache.org. 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates. 2019/05/03 19:17:55 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:17:56 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node1.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node1.nifi.apache.org DNSName: alternative3.nifi.apache.org ] ... ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:18:00 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node2.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node2.nifi.apache.org DNSName: alternative4.nifi.apache.org ] ... ``` ## Dynamic hostname, dynamic SAN (different range values; different range length) Expected output: 2 generated keystores each containing 1 certificate with single hostname and 4 SAN entries (1 (dynamic) hostname, 3 (exhaustive) SAN) ``` ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 0s @ 19:20:06 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[5-7].nifi.apache.org 2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT 2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI 2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI 2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI 2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key 2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count. Verify names in resulting certificate. 2019/05/03 19:20:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count. Verify names in resulting certificate. 2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates. 2019/05/03 19:20:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:20:24 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node1.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node1.nifi.apache.org DNSName: alternative5.nifi.apache.org DNSName: alternative6.nifi.apache.org DNSName: alternative7.nifi.apache.org ] ... ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:20:33 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node2.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node2.nifi.apache.org DNSName: alternative5.nifi.apache.org DNSName: alternative6.nifi.apache.org DNSName: alternative7.nifi.apache.org ] ... ``` ## Dynamic hostname, dynamic SAN (different range values; same range length; reverse order) Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 (dynamic) SAN) ``` ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 0s @ 19:22:47 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[2-1].nifi.apache.org 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.10.0-SNAPSHOT 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.10.0-SNAPSHOT/nifi-key.key 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count. Verify names in resulting certificate. 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node1.nifi.apache.org 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Hostname count does not match given alternate name count. Verify names in resulting certificate. 2019/05/03 19:22:58 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:22:59 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node2.nifi.apache.org 1 in ../nifi-toolkit-1.10.0-SNAPSHOT/node2.nifi.apache.org 2019/05/03 19:22:59 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates. 2019/05/03 19:22:59 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 2s @ 19:22:59 $ keytool -list -v -keystore node1.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node1.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node1.nifi.apache.org ] ... ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 1s @ 19:23:07 $ keytool -list -v -keystore node2.nifi.apache.org/keystore.jks ... Your keystore contains 1 entry Alias name: nifi-key Creation date: May 3, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=node2.nifi.apache.org, OU=NIFI Issuer: CN=localhost, OU=NIFI ... #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: node2.nifi.apache.org ] ... ``` ### Notes: * No SANs (other than explicit hostname) populated; no error thrown * Either calculate reversed range, or throw exception early ## Dynamic hostname, dynamic SAN (different range values; range is non-numeric) Expected output: 2 generated keystores each containing 1 certificate with single hostname and 2 SAN entries (1 (dynamic) hostname, 1 (dynamic) SAN) _or_ early exception ``` ...NAPSHOT-bin/nifi-toolkit-1.10.0-SNAPSHOT (pr3457) 😉 🔓 0s @ 19:25:08 $ ./bin/tls-toolkit.sh standalone -n node[1-2].nifi.apache.org --subjectAlternativeName alternative[A-B].nifi.apache.org Service standalone error: Expected either one number or two separated by a single hyphen Usage: tls-toolkit service [-h] [args] Services: standalone: Creates certificates and config files for nifi cluster. server: Acts as a Certificate Authority that can be used by clients to get Certificates client: Generates a private key and gets it signed by the certificate authority. status: Checks the status of an HTTPS endpoint by making a GET request using a supplied keystore and truststore. ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
