Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can't add SAN (SubjectAlternativeName) to a Java KeyStore. CSR contains SAN, but when importing to JKS it loses its SAN extension.

Can't add SAN (SubjectAlternativeName) to a Java KeyStore. CSR contains SAN, but when importing to JKS it loses its SAN extension.

Explorer

I've heard this is a "bug" with openssl/keytool. I'm following MattWho's article found here: How to create user generated keys for securing NiFi.

I'm getting the following error on my NiFi WebUI: 

 

Hostname nifi.taco.net not verified:
certificate: sha256/5REuJXk5ayT2nW5J89AfpW/G3OzXY9lF4n2vE3OxHlE=
DN: CN=nifi.taco.net, OU=project taco, O=taco, L=taco, ST=texas, C=US subjectAltNames: []

I'm guessing this is either because of the SAN info being removed when I use x509, or perhaps a misconfiguration in the Cloudera Flow Management NiFi Node config??

1 REPLY 1
Highlighted

Re: Securing NiFi - Cannot see UI

Explorer

[The following question was moved here because it was posted 12-02-2019 04:48 PM to a thread marked 'Solved' 11-18-2019 05:49 AM —moderator]

 

How did you add a SAN extension and have it not get removed when adding the key to your JKS file? I never figured this out. Even When using Nifi Toolkit CA, the certs that are generated don't contain SAN. Soooo... still confused on this!

Don't have an account?
Coming from Hortonworks? Activate your account here