You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2019/02/11 03:45:00 UTC

[jira] [Updated] (NIFI-6012) NiFi toolkit, tls-toolkit.sh server, doesnt support 3rd party Certificate of Authoprity

     [ https://issues.apache.org/jira/browse/NIFI-6012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andy LoPresto updated NIFI-6012:
--------------------------------
    Labels: certificate security tls tls-toolkit  (was: )

> NiFi toolkit, tls-toolkit.sh server, doesnt support 3rd party Certificate of Authoprity
> ---------------------------------------------------------------------------------------
>
>                 Key: NIFI-6012
>                 URL: https://issues.apache.org/jira/browse/NIFI-6012
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Tools and Build
>            Reporter: Erik Anderson
>            Assignee: Andy LoPresto
>            Priority: Major
>              Labels: certificate, security, tls, tls-toolkit
>
> Original details are here.
> [link certificate chain of trust |https://mail-archives.apache.org/mod_mbox/nifi-dev/201902.mbox/%3Cb7825d4c-8cdb-4b2e-b625-7942ce067292%40www.fastmail.com%3E]
> When running the NiFi toolkit ../bin/tls-toolkit.sh server, how do I get the server to include an additional public certificate of authority in the truststore.jks file?
> I was looking through the nifi-toolkit-tls code,
> For the start sequences of the
> ../bin/tls-toolkit.sh server
> I would like to recommend an additional option in the client (or server mode)
> --additionalTrust=[keystore alias],[keystore alias],[keystore alias]
> What this would do is when a client calls the tls-toolkit.sh server, the server would extract these alias stored in the nifi-ca-keystore.jks, and add to the returned truststore.jks file.
> Example:
> --additionalTrust: nifi-cli, digicert, myca
> There seems to be a feature in
> ../bin/tls-toolkit.sh standalone
> --additionalCACertificate
> Which might be a similar feature.
> This would allow an enterprise that installs MITM proxies, to include additional certificates into the trust chain.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)