Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to extend the Self-Signed Certificate validity

Labels:
avatar
author-rank EddyChan
Explorer

Created ‎04-02-2024 01:58 AM


Hi All community/Support, 

I would like to ask how to extend this self-signed certificate validity to 6 months. As per default was 60 days. May i know which section of the code that setting this 60 days validity during start-up? 

 

2024-04-02 07:32:08,803 INFO [main] org.apache.nifi.bootstrap.Command Generating Self-Signed Certificate: Expires on 2024-06-01
2024-04-02 07:32:11,796 INFO [main] org.apache.nifi.bootstrap.Command Generated Self-Signed Certificate SHA-256: 4XXXXXXXXXXXXXXXXXXXXXXX

 

EddyChan_0-1712047841509.png

Appreciate if someone could help point out. 

1,037 Views
2 ACCEPTED SOLUTIONS

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎04-02-2024 06:16 AM

@EddyChan 

The out-of-box Apache NiFi self-signed certificate generation was added to make it easy for first time users to experiment with a secure NiFi instance.  Just like the Single user authentication and and single user authorizer, these were not intended to be used for long term or production use cases.  There is no configuration option to extend the lifetime.

For long term use or production setups, you should be generating your own signed certificates for use in your NiFi (preferable signed by a trusted authority rather then being self-signed).   

You could use the NiFi TLS toolkit still available in the Apache NiFi 1.x releases to generate your own certificates for keystore  and truststore.
You could generate your own following guidelines for NiFi certificates:
Security Configuration
You could use a free online service to generate certificates.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt




View solution in original post

1,014 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎04-15-2024 05:31 AM

@EddyChan 

NiFi should only be generating a keystore and truststore on startup if you have not manually configured NiFi's nifi.properties file to use your personally generated keystore and truststore files. Even if they are generated, NiFi would still use your configured keystore and truststore files.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

888 Views
0 Kudos
4 REPLIES 4

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎04-02-2024 06:16 AM

@EddyChan 

The out-of-box Apache NiFi self-signed certificate generation was added to make it easy for first time users to experiment with a secure NiFi instance.  Just like the Single user authentication and and single user authorizer, these were not intended to be used for long term or production use cases.  There is no configuration option to extend the lifetime.

For long term use or production setups, you should be generating your own signed certificates for use in your NiFi (preferable signed by a trusted authority rather then being self-signed).   

You could use the NiFi TLS toolkit still available in the Apache NiFi 1.x releases to generate your own certificates for keystore  and truststore.
You could generate your own following guidelines for NiFi certificates:
Security Configuration
You could use a free online service to generate certificates.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt




1,015 Views
0 Kudos

avatar
author-rank EddyChan
Explorer

Created ‎04-08-2024 07:17 PM

Hi Matt, thanks for the suggestion to use TLS Toolkit, but is there any way to disable/prevent the nifi run the self-signed certificate during startup? 

958 Views

avatar
author-rank EddyChan
Explorer

Created ‎04-08-2024 07:16 PM

Hi Matt, thanks for the suggestion to use TLS Toolkit, but is there any way to disable/prevent the nifi run the self-signed certificate during startup? 

958 Views

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎04-15-2024 05:31 AM

@EddyChan 

NiFi should only be generating a keystore and truststore on startup if you have not manually configured NiFi's nifi.properties file to use your personally generated keystore and truststore files. Even if they are generated, NiFi would still use your configured keystore and truststore files.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

889 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements