question How to extend the Self-Signed Certificate validity in Support Questions

How to extend the Self-Signed Certificate validity

EddyChan — Tue, 02 Apr 2024 08:58:28 GMT

Hi All community/Support,

I would like to ask how to extend this self-signed certificate validity to 6 months. As per default was 60 days. May i know which section of the code that setting this 60 days validity during start-up?

2024-04-02 07:32:08,803 INFO [main] org.apache.nifi.bootstrap.Command Generating Self-Signed Certificate: Expires on 2024-06-01 2024-04-02 07:32:11,796 INFO [main] org.apache.nifi.bootstrap.Command Generated Self-Signed Certificate SHA-256: 4XXXXXXXXXXXXXXXXXXXXXXX

Appreciate if someone could help point out.

Re: How to extend the Self-Signed Certificate validity

MattWho — Tue, 02 Apr 2024 13:16:26 GMT

@EddyChan

The out-of-box Apache NiFi self-signed certificate generation was added to make it easy for first time users to experiment with a secure NiFi instance. Just like the Single user authentication and and single user authorizer, these were not intended to be used for long term or production use cases. There is no configuration option to extend the lifetime.

For long term use or production setups, you should be generating your own signed certificates for use in your NiFi (preferable signed by a trusted authority rather then being self-signed).

You could use the NiFi TLS toolkit still available in the Apache NiFi 1.x releases to generate your own certificates for keystore and truststore.
You could generate your own following guidelines for NiFi certificates:
Security Configuration
You could use a free online service to generate certificates.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: How to extend the Self-Signed Certificate validity

EddyChan — Tue, 09 Apr 2024 02:16:21 GMT

Hi Matt, thanks for the suggestion to use TLS Toolkit, but is there any way to disable/prevent the nifi run the self-signed certificate during startup?

Re: How to extend the Self-Signed Certificate validity

EddyChan — Tue, 09 Apr 2024 02:17:01 GMT

Hi Matt, thanks for the suggestion to use TLS Toolkit, but is there any way to disable/prevent the nifi run the self-signed certificate during startup?

Re: How to extend the Self-Signed Certificate validity

MattWho — Mon, 15 Apr 2024 12:31:21 GMT

@EddyChan

NiFi should only be generating a keystore and truststore on startup if you have not manually configured NiFi's nifi.properties file to use your personally generated keystore and truststore files. Even if they are generated, NiFi would still use your configured keystore and truststore files.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt