Client
The client can be used to request new Certificates from the CA. The client utility
generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the
Certificate Authority. The client is invoked by running ./bin/tls-toolkit.sh
client -h which prints the usage information along with descriptions of
options that can be specified.
You can use the following command line options with the
tls-toolkit in client mode:
-a,--keyAlgorithm <arg>Algorithm to use for generated keys (default:RSA)-c,--certificateAuthorityHostname <arg>Hostname of NiFi Certificate Authority (default:localhost)-C,--certificateDirectory <arg>The directory to write the CA certificate (default:.)--configJsonIn <arg>The place to read configuration info from, impliesuseConfigJsonif set (default:configJsonvalue)-D,--dn <arg>The DN to use for the client certificate (default:CN=<localhost name>,OU=NIFI) (this is auto-populated by the tool)-f,--configJson <arg>The place to write configuration info (default:config.json)-F,--useConfigJsonFlag specifying that all configuration is read fromconfigJsonto facilitate automated use (otherwiseconfigJsonwill only be written to)-g,--differentKeyAndKeystorePasswordsUse different generated password for the key and the keystore-h,--helpPrint help and exit-k,--keySize <arg>Number of bits for generated keys (default:2048)-p,--PORT <arg>The port to use to communicate with the Certificate Authority (default:8443)--subjectAlternativeNames <arg>Comma-separated list of domains to use as Subject Alternative Names in the certificate-T,--keyStoreType <arg>The type of keystores to generate (default:jks)-t,--token <arg>The token to use to prevent MITM (required and must be same as one used by CA)
After running the client you will have the CA's certificate, a keystore, a
truststore, and a config.json with information about them as well
as their passwords.
For a client certificate that can be easily imported into the browser, specify:
-T PKCS12