I've heard this is a "bug" with openssl/keytool. I'm following MattWho's article found here: How to create user generated keys for securing NiFi.
I'm getting the following error on my NiFi WebUI:
Hostname nifi.taco.net not verified:
DN: CN=nifi.taco.net, OU=project taco, O=taco, L=taco, ST=texas, C=US subjectAltNames: 
I'm guessing this is either because of the SAN info being removed when I use x509, or perhaps a misconfiguration in the Cloudera Flow Management NiFi Node config??
[The following question was moved here because it was posted 12-02-2019 04:48 PM to a thread marked 'Solved' 11-18-2019 05:49 AM —moderator]
How did you add a SAN extension and have it not get removed when adding the key to your JKS file? I never figured this out. Even When using Nifi Toolkit CA, the certs that are generated don't contain SAN. Soooo... still confused on this!