Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-4247

TLS Toolkit should parse regex in SAN fields

    XMLWordPrintableJSON

Details

    Description

      Similar to the way the TLS Toolkit can generate multiple certificates with one command through parsing some minimal regular expression syntax in the hostname field, the SAN field should be processed the same way. Currently, a command which generates three hosts via -n "server[1-3].com" cannot have the corresponding SAN entries provided inline. Once NIFI-4222 is implemented, the hostname will be present in the SAN list by default, but if there are additional desired entries, the command must be split and run individually.

      Example:

      Desired hostname Desired SAN
      server1.com server1.com, otherserver1.com
      server2.com server2.com, otherserver2.com
      server3.com server3.com, otherserver3.com 
      $ ./bin/tls-toolkit.sh standalone -n "server[1-3].com" --subjectAlternativeNames "otherserver[1-3].com"

      Currently, this must be run as: 

      $ ./bin/tls-toolkit.sh standalone -n "server1.com" --subjectAlternativeNames "otherserver1.com"
$ ./bin/tls-toolkit.sh standalone -n "server2.com" --subjectAlternativeNames "otherserver2.com"
$ ./bin/tls-toolkit.sh standalone -n "server3.com" --subjectAlternativeNames "otherserver3.com"

      The ranges should be checked for length equality, but need not necessarily be identical. For example:

      $ ./bin/tls-toolkit.sh standalone -n "server[1-3].com" --subjectAlternativeNames "otherserver[4-6].com"

      Today, if you don't care about SAN values, this is achievable with:

      $ ./bin/tls-toolkit.sh standalone -n "server[1-3].com"

      Attachments

        Issue Links

          Is contained by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. NIFI-5458 Improve NiFi TLS and certificate management

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. NIFI-6178 Certificates generated for "localhost" need to have IP as a SAN in Java 11

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-4222 TLS Toolkit should provide SAN by default

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #3457

          Web Link GitHub Pull Request #3466

          Activity

            People

              tmelhase Troy Melhase
              alopresto Andy LoPresto
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h 20m
                  2h 20m