Generating Client Certificates
If you are using a CA, you can use the TLS Toolkit provided in the HDF management pack to generate the required client certificates so that you can log into NiFi after enabling SSL.
Navigate the TLS Toolkit directory, which will be similar to:
cd /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-$version
For example:
cd /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.1.0.2.1.3.0-6
From the command line, run the following:
bin/tls-toolkit.sh client -c <CA host name> -D "<distinguished name>" -p <CA host port> -t <NiFi CA token> -T <keystore type>
Your command should look similar to:
bin/tls-toolkit.sh client -c nifi.cert.authority.example.com -D "CN=admin, OU=NIFI" -t nifi -p 10443 -T pkcs12
To get your keystore password, enter:
cat config.json
Verify that the installation directory contains the following two files:
keystore.pkcs12nifi-cert.pem
To double-click your keystore file to launch your OS certificate management application, change
keystore.pkcs12tokeystore.p12.Import the
nifi-cert.pemfile as your trusted CA.Import
keystore.pkcs12as the client certificate.
Re-running the TLS Toolkit generates a new set of keystore and configuration files. To avoid having your files overwritten, save the keystore and configuration files to an alternate location before re-running the TLS Toolkit.
For more information about the TLS Toolkit, see TLS Generation Toolkit in the Administration Guide.