Support Questions

Find answers, ask questions, and share your expertise

Is NiFi CA service required for signed Certs?

avatar
Master Guru

I have signed certs for my servers from a CA and want to enable SSL on NiFi. Is NiFi CA service required to enable SSL if I already have signed certs?

1 ACCEPTED SOLUTION

avatar
Master Mentor
@sunile.manjee

-

You do NOT want to have the NiFi CA service installed if you are using your own certificates issued by your own CA or some public or corporately managed CA. If the NiFi CA is installed, it will be used. Often times this means it messes up your generated keystore and truststore files. Plus, if someone checks the force regenerate check box in Ambari, you would lose your keystore and truststore since new ones would be generated with only NiFi CA generated entries.

-

Thank you,

Matt

View solution in original post

3 REPLIES 3

avatar
Master Mentor
@sunile.manjee

-

You do NOT want to have the NiFi CA service installed if you are using your own certificates issued by your own CA or some public or corporately managed CA. If the NiFi CA is installed, it will be used. Often times this means it messes up your generated keystore and truststore files. Plus, if someone checks the force regenerate check box in Ambari, you would lose your keystore and truststore since new ones would be generated with only NiFi CA generated entries.

-

Thank you,

Matt

avatar
Master Guru

@Matt Clarke That is good to know. I have CA signed certs and the NiFi CA service is enabled on my cluster. I don't see way to remove NiFi CA service but do see option to "invalidate CA Server". Should I take that approach?

86515-2018-08-15-09-29-30.jpg

avatar
Master Mentor
@sunile.manjee

You must "Stop" NiFI CA before the "Delete" option is available.
Once it has been deleted, I would confirm contents of your keystore and truststore are still correct in case Ambari executed the tls-toolkit and overwrote them.