TLS Generation Toolkit
In order to facilitate the secure setup of NiFi, you can use the
tls-toolkit command line utility to automatically generate the
required keystores, truststore, and relevant configuration files. This is especially
useful for securing multiple NiFi nodes, which can be a tedious and error-prone
process.
|
JKS keystores and truststores are recommended for NiFi. This tool allows the specification of other keystore types on the command line but will ignore a type of PKCS12 for use as the truststore because that format has some compatibility issues between BouncyCastle and Oracle implementations. |
The tls-toolkit command line tool has two primary modes of
operation:
Standalone - generates the certificate authority, keystores, truststores, and nifi.properties files in one command.
Client/Server mode - uses a Certificate Authority Server that accepts Certificate Signing Requests from clients, signs them, and sends the resulting certificates back. Both client and server validate the other's identity through a shared secret.