[NIFI-6012] NiFi toolkit, tls-toolkit.sh server, doesnt support 3rd party Certificate of Authoprity - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Duplicate
Affects Version/s: None
Fix Version/s: None
Component/s: Tools and Build
Labels:
- certificate
- security
- tls
- tls-toolkit

Description

Original details are here.

link certificate chain of trust

When running the NiFi toolkit ../bin/tls-toolkit.sh server, how do I get the server to include an additional public certificate of authority in the truststore.jks file?

I was looking through the nifi-toolkit-tls code,
For the start sequences of the
../bin/tls-toolkit.sh server

I would like to recommend an additional option in the client (or server mode)
--additionalTrust=[keystore alias],[keystore alias],[keystore alias]
What this would do is when a client calls the tls-toolkit.sh server, the server would extract these alias stored in the nifi-ca-keystore.jks, and add to the returned truststore.jks file.

Example:
--additionalTrust: nifi-cli, digicert, myca

There seems to be a feature in
../bin/tls-toolkit.sh standalone
--additionalCACertificate

Which might be a similar feature.

This would allow an enterprise that installs MITM proxies, to include additional certificates into the trust chain.

Attachments

Issue Links

duplicates

NIFI-5460 TLS Toolkit should allow custom CAs to be added to generated truststores

Resolved

Activity

People

Assignee:: Andy LoPresto

Reporter:: Erik Anderson

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 08/Feb/19 21:29

Updated:: 11/Feb/19 13:45

Resolved:: 11/Feb/19 03:43