Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Won't Do
-
None
-
None
-
None
-
None
Description
given the growing acceptance of namedConstraints in the browser space, it would be great if tls-toolkit certificates used the extension.
nameConstraints are an extension to x.509 that allow CA certificates to be constrained on the range the subjects they can "certify". One could for example, restrict certificates by the nifinode00.nifi.lab.example.com" to only issue certificates to "*.nifi.lab.example.com"
Consequentially the main rationale to use this technique is to allow users to install the tls-toolkit issued CA on browsers, knowing that that trusted CA can only be used to issue certificates to subjects within the "nifi.lab.example.com" namespace.
Once this is implemented, we could then consider both NiFi nodes and MiNiFi agents against a beefed version of tls-toolkit (via shared secret + approval), greatly reducing dependency on external certificates, without compromising the gains the toolkit offers to the customer base.
Attachments
Issue Links
- is related to
-
NIFI-12200 Remove nifi-toolkit-tls module
-
- Resolved
-