Client

The client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running ./bin/tls-toolkit.sh client -h which prints the usage information along with descriptions of options that can be specified.

The most common options to specify are:

-f,--configJson The json config file
-c,--certificateAuthorityHostname The hostname of the CA
-D,--DN The DN for the CSR (and Certificate)
-t,--token The token used to prevent man in the middle attacks (this should be a long, random value and needs to be the same one used to start the CA server)
-T,--keyStoreType The type of keystore to create (leave default for NiFi nodes, specify PKCS12 to create client cert)

After running the client you will have the CA's certificate, a keystore, a truststore, and a config.json with information about them as well as their passwords.

For a client certificate that can be easily imported into the browser, specify: -T PKCS12

​Client

Client