Support Questions

Find answers, ask questions, and share your expertise

How to extend the Self-Signed Certificate validity

avatar
Explorer


Hi All community/Support, 

I would like to ask how to extend this self-signed certificate validity to 6 months. As per default was 60 days. May i know which section of the code that setting this 60 days validity during start-up? 

 

2024-04-02 07:32:08,803 INFO [main] org.apache.nifi.bootstrap.Command Generating Self-Signed Certificate: Expires on 2024-06-01
2024-04-02 07:32:11,796 INFO [main] org.apache.nifi.bootstrap.Command Generated Self-Signed Certificate SHA-256: 4XXXXXXXXXXXXXXXXXXXXXXX

 

EddyChan_0-1712047841509.png

Appreciate if someone could help point out. 

2 ACCEPTED SOLUTIONS

avatar
Master Mentor

@EddyChan 

The out-of-box Apache NiFi self-signed certificate generation was added to make it easy for first time users to experiment with a secure NiFi instance.  Just like the Single user authentication and and single user authorizer, these were not intended to be used for long term or production use cases.  There is no configuration option to extend the lifetime.

For long term use or production setups, you should be generating your own signed certificates for use in your NiFi (preferable signed by a trusted authority rather then being self-signed).   

You could use the NiFi TLS toolkit still available in the Apache NiFi 1.x releases to generate your own certificates for keystore  and truststore.
You could generate your own following guidelines for NiFi certificates:
Security Configuration
You could use a free online service to generate certificates.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt




View solution in original post

avatar
Master Mentor

@EddyChan 

NiFi should only be generating a keystore and truststore on startup if you have not manually configured NiFi's nifi.properties file to use your personally generated keystore and truststore files. Even if they are generated, NiFi would still use your configured keystore and truststore files.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

4 REPLIES 4

avatar
Master Mentor

@EddyChan 

The out-of-box Apache NiFi self-signed certificate generation was added to make it easy for first time users to experiment with a secure NiFi instance.  Just like the Single user authentication and and single user authorizer, these were not intended to be used for long term or production use cases.  There is no configuration option to extend the lifetime.

For long term use or production setups, you should be generating your own signed certificates for use in your NiFi (preferable signed by a trusted authority rather then being self-signed).   

You could use the NiFi TLS toolkit still available in the Apache NiFi 1.x releases to generate your own certificates for keystore  and truststore.
You could generate your own following guidelines for NiFi certificates:
Security Configuration
You could use a free online service to generate certificates.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt




avatar
Explorer

Hi Matt, thanks for the suggestion to use TLS Toolkit, but is there any way to disable/prevent the nifi run the self-signed certificate during startup? 

avatar
Explorer

Hi Matt, thanks for the suggestion to use TLS Toolkit, but is there any way to disable/prevent the nifi run the self-signed certificate during startup? 

avatar
Master Mentor

@EddyChan 

NiFi should only be generating a keystore and truststore on startup if you have not manually configured NiFi's nifi.properties file to use your personally generated keystore and truststore files. Even if they are generated, NiFi would still use your configured keystore and truststore files.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt