Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Is NiFi CA service required for signed Certs?

Labels:
avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎08-15-2018 04:27 AM

I have signed certs for my servers from a CA and want to enable SSL on NiFi. Is NiFi CA service required to enable SSL if I already have signed certs?

1,792 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎08-15-2018 02:08 PM

@sunile.manjee

-

You do NOT want to have the NiFi CA service installed if you are using your own certificates issued by your own CA or some public or corporately managed CA. If the NiFi CA is installed, it will be used. Often times this means it messes up your generated keystore and truststore files. Plus, if someone checks the force regenerate check box in Ambari, you would lose your keystore and truststore since new ones would be generated with only NiFi CA generated entries.

-

Thank you,

Matt

View solution in original post

1,663 Views
3 REPLIES 3

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎08-15-2018 02:08 PM

@sunile.manjee

-

You do NOT want to have the NiFi CA service installed if you are using your own certificates issued by your own CA or some public or corporately managed CA. If the NiFi CA is installed, it will be used. Often times this means it messes up your generated keystore and truststore files. Plus, if someone checks the force regenerate check box in Ambari, you would lose your keystore and truststore since new ones would be generated with only NiFi CA generated entries.

-

Thank you,

Matt

1,664 Views

avatar
author-rank sunile_manjee author-rank
Master Guru

Created on ‎08-15-2018 02:31 PM - edited ‎08-17-2019 07:24 PM

@Matt Clarke That is good to know. I have CA signed certs and the NiFi CA service is enabled on my cluster. I don't see way to remove NiFi CA service but do see option to "invalidate CA Server". Should I take that approach?

86515-2018-08-15-09-29-30.jpg

1,663 Views
0 Kudos

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎08-15-2018 03:06 PM

@sunile.manjee

You must "Stop" NiFI CA before the "Delete" option is available.
Once it has been deleted, I would confirm contents of your keystore and truststore are still correct in case Ambari executed the tls-toolkit and overwrote them.

1,663 Views
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner