Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Is NiFi CA service required for signed Certs?

Labels:
avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎08-15-2018 04:27 AM

I have signed certs for my servers from a CA and want to enable SSL on NiFi. Is NiFi CA service required to enable SSL if I already have signed certs?

2,170 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎08-15-2018 02:08 PM

@sunile.manjee

-

You do NOT want to have the NiFi CA service installed if you are using your own certificates issued by your own CA or some public or corporately managed CA. If the NiFi CA is installed, it will be used. Often times this means it messes up your generated keystore and truststore files. Plus, if someone checks the force regenerate check box in Ambari, you would lose your keystore and truststore since new ones would be generated with only NiFi CA generated entries.

-

Thank you,

Matt

View solution in original post

2,041 Views
3 REPLIES 3

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎08-15-2018 02:08 PM

@sunile.manjee

-

You do NOT want to have the NiFi CA service installed if you are using your own certificates issued by your own CA or some public or corporately managed CA. If the NiFi CA is installed, it will be used. Often times this means it messes up your generated keystore and truststore files. Plus, if someone checks the force regenerate check box in Ambari, you would lose your keystore and truststore since new ones would be generated with only NiFi CA generated entries.

-

Thank you,

Matt

2,042 Views

avatar
author-rank sunile_manjee author-rank
Master Guru

Created on ‎08-15-2018 02:31 PM - edited ‎08-17-2019 07:24 PM

@Matt Clarke That is good to know. I have CA signed certs and the NiFi CA service is enabled on my cluster. I don't see way to remove NiFi CA service but do see option to "invalidate CA Server". Should I take that approach?

86515-2018-08-15-09-29-30.jpg

2,041 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎08-15-2018 03:06 PM

@sunile.manjee

You must "Stop" NiFI CA before the "Delete" option is available.
Once it has been deleted, I would confirm contents of your keystore and truststore are still correct in case Ambari executed the tls-toolkit and overwrote them.

2,041 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements