Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Does NiFi CA generate self signed or signed cert?

avatar
Master Guru

Our browser requires interacting with only signed certificates. Does NiFi CA generate self signed or signed certs? I assume it is self signed and not integrated with a real certificate authoruity. But not sure. Feedback appreciated.

5 REPLIES 5

avatar
Master Guru

Thanks @Andrew Grande for confirming they are self signed.

avatar
Master Mentor

@sunile.manjee

-

Just to add some clarity. The NiFi CA is a self-signed certificate authority (Meaning the NiFi CA's certificate is a root level CA and has not had its certificate signed by a higher authority). The NiFi TLS toolkit can be used to create client/server certificates that are then signed by this authority for use by NiFi. The truststore.jks file used by NiFi typically contains all the "trustedCertEntries" needed to authenticate any client certificates used to authenticate against NiFi. So this would include the trustedCertEntry for the NiFi CA. The keystore.jks file used by NiFi could contain the PrivateKeyEntry (which is the certificate that has been signed by the NiFi CA).

-

Within a browser there are certificates and a number of default and possibly user added Authorities. In order for your browser to trust any certificate signed by the NiFi CA, the public certificate for your NiFi CA must be added to your browsers trusted authorities.

-

For example, you can see I have done that in Firefox here:

86473-screen-shot-2018-08-14-at-73909-am.png

You will see "Apache-NiFi CA" has been added.

Now this browser will trust any certificate that has been signed by that authority.

-

Thank you,

Matt

avatar

I have provided a feature implementation (NIFI-5476 | PR 2935) in the current Apache NiFi master branch which allows the TLS Toolkit running in standalone mode to use an externally-signed CA certificate to sign node certificates. With this capability, you can purchase/obtain a certificate signed by a known (browser-installed) CA, which will be trusted by browsers. You can then use this certificate to sign node certificates. I am currently working on enabling the same feature in client/server mode, but it is not yet present.

avatar

@MattWho  Can you please tell how to add NIFI CA in authorities?

Currently we have use p12 file everytime for new DN generated by toolkit.

Do we need to add nifi-cert.pem while creating authority?

 

 

avatar
Master Mentor

@LearnerAdmin 

 

It is not clear to me what you are asking when you say "add NIFI CA in authorities".

 

Instructions on using the NiFi TLS toolkit can be found here:

https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_toolkit

 

Using the Client/Server Tls Toolkit operational mode covered here:
https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#client-server

Will give you the ability to create a running NiFi CA authority "server" which will sign your NiFi node certificates created using the "client" mode.

 

Thanks,

Matt