Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

How to extend the Self-Signed Certificate validity

Labels:
avatar
author-rank EddyChan
Explorer

Created ‎04-02-2024 01:58 AM


Hi All community/Support, 

I would like to ask how to extend this self-signed certificate validity to 6 months. As per default was 60 days. May i know which section of the code that setting this 60 days validity during start-up? 

 

2024-04-02 07:32:08,803 INFO [main] org.apache.nifi.bootstrap.Command Generating Self-Signed Certificate: Expires on 2024-06-01
2024-04-02 07:32:11,796 INFO [main] org.apache.nifi.bootstrap.Command Generated Self-Signed Certificate SHA-256: 4XXXXXXXXXXXXXXXXXXXXXXX

 

EddyChan_0-1712047841509.png

Appreciate if someone could help point out. 

470 Views
2 ACCEPTED SOLUTIONS

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎04-02-2024 06:16 AM

@EddyChan 

The out-of-box Apache NiFi self-signed certificate generation was added to make it easy for first time users to experiment with a secure NiFi instance.  Just like the Single user authentication and and single user authorizer, these were not intended to be used for long term or production use cases.  There is no configuration option to extend the lifetime.

For long term use or production setups, you should be generating your own signed certificates for use in your NiFi (preferable signed by a trusted authority rather then being self-signed).   

You could use the NiFi TLS toolkit still available in the Apache NiFi 1.x releases to generate your own certificates for keystore  and truststore.
You could generate your own following guidelines for NiFi certificates:
Security Configuration
You could use a free online service to generate certificates.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt




View solution in original post

447 Views
0 Kudos

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎04-15-2024 05:31 AM

@EddyChan 

NiFi should only be generating a keystore and truststore on startup if you have not manually configured NiFi's nifi.properties file to use your personally generated keystore and truststore files. Even if they are generated, NiFi would still use your configured keystore and truststore files.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

321 Views
0 Kudos
4 REPLIES 4

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎04-02-2024 06:16 AM

@EddyChan 

The out-of-box Apache NiFi self-signed certificate generation was added to make it easy for first time users to experiment with a secure NiFi instance.  Just like the Single user authentication and and single user authorizer, these were not intended to be used for long term or production use cases.  There is no configuration option to extend the lifetime.

For long term use or production setups, you should be generating your own signed certificates for use in your NiFi (preferable signed by a trusted authority rather then being self-signed).   

You could use the NiFi TLS toolkit still available in the Apache NiFi 1.x releases to generate your own certificates for keystore  and truststore.
You could generate your own following guidelines for NiFi certificates:
Security Configuration
You could use a free online service to generate certificates.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt




448 Views
0 Kudos

avatar
author-rank EddyChan
Explorer

Created ‎04-08-2024 07:17 PM

Hi Matt, thanks for the suggestion to use TLS Toolkit, but is there any way to disable/prevent the nifi run the self-signed certificate during startup? 

391 Views

avatar
author-rank EddyChan
Explorer

Created ‎04-08-2024 07:16 PM

Hi Matt, thanks for the suggestion to use TLS Toolkit, but is there any way to disable/prevent the nifi run the self-signed certificate during startup? 

391 Views

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎04-15-2024 05:31 AM

@EddyChan 

NiFi should only be generating a keystore and truststore on startup if you have not manually configured NiFi's nifi.properties file to use your personally generated keystore and truststore files. Even if they are generated, NiFi would still use your configured keystore and truststore files.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

322 Views
0 Kudos
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera Data Services 1.5.4 on Private Cloud Rel...
What's New @ Cloudera
Run your Apache NiFi and Apache Kafka workloads on Kubernete...
What's New @ Cloudera
Cloudera DataFlow now powers GenAI pipelines and supports ch...
Community Announcements
May 2024 Community Highlights
What's New @ Cloudera
Cloudera Operational Database (COD) supports instance group ...
View More Announcements
meetups banner