You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2019/02/11 03:43:00 UTC

[jira] [Commented] (NIFI-6012) NiFi toolkit, tls-toolkit.sh server, doesnt support 3rd party Certificate of Authoprity

    [ https://issues.apache.org/jira/browse/NIFI-6012?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16764649#comment-16764649 ] 

Andy LoPresto commented on NIFI-6012:
-------------------------------------

I believe this issue is a duplicate of NIFI-5460. If not, please indicate what differences you find or additional behavior you expect from a solution to that issue. 

> NiFi toolkit, tls-toolkit.sh server, doesnt support 3rd party Certificate of Authoprity
> ---------------------------------------------------------------------------------------
>
>                 Key: NIFI-6012
>                 URL: https://issues.apache.org/jira/browse/NIFI-6012
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Tools and Build
>            Reporter: Erik Anderson
>            Priority: Major
>
> Original details are here.
> [link certificate chain of trust |https://mail-archives.apache.org/mod_mbox/nifi-dev/201902.mbox/%3Cb7825d4c-8cdb-4b2e-b625-7942ce067292%40www.fastmail.com%3E]
> When running the NiFi toolkit ../bin/tls-toolkit.sh server, how do I get the server to include an additional public certificate of authority in the truststore.jks file?
> I was looking through the nifi-toolkit-tls code,
> For the start sequences of the
> ../bin/tls-toolkit.sh server
> I would like to recommend an additional option in the client (or server mode)
> --additionalTrust=[keystore alias],[keystore alias],[keystore alias]
> What this would do is when a client calls the tls-toolkit.sh server, the server would extract these alias stored in the nifi-ca-keystore.jks, and add to the returned truststore.jks file.
> Example:
> --additionalTrust: nifi-cli, digicert, myca
> There seems to be a feature in
> ../bin/tls-toolkit.sh standalone
> --additionalCACertificate
> Which might be a similar feature.
> This would allow an enterprise that installs MITM proxies, to include additional certificates into the trust chain.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)