Standalone
Standalone mode is invoked by running ./bin/tls-toolkit.sh standalone
-h
which prints the usage information along with descriptions of options
that can be specified.
You can use the following command line options with the
tls-toolkit
in standalone mode:
-a
,--keyAlgorithm <arg>
Algorithm to use for generated keys (default:RSA
)-B
,--clientCertPassword <arg>
Password for client certificate. Must either be one value or one for each client DN (auto-generate if not specified)-c
,--certificateAuthorityHostname <arg>
Hostname of NiFi Certificate Authority (default:localhost
)-C
,--clientCertDn <arg>
Generate client certificate suitable for use in browser with specified DN (Can be specified multiple times)-d
,--days <arg>
Number of days issued certificate should be valid for (default:1095
)-f
,--nifiPropertiesFile <arg>
Basenifi.properties
file to update (Embedded file identical to the one in a default NiFi install will be used if not specified)-g
,--differentKeyAndKeystorePasswords
Use different generated password for the key and the keystore-G
,--globalPortSequence <arg>
Use sequential ports that are calculated for all hosts according to the provided hostname expressions (Can be specified multiple times, MUST BE SAME FROM RUN TO RUN)-h
,--help
Print help and exit-k
,--keySize <arg>
Number of bits for generated keys (default:2048
)-K
,--keyPassword <arg>
Key password to use. Must either be one value or one for each host (auto-generate if not specified)-n
,--hostnames <arg>
Comma separated list of hostnames--nifiDnPrefix <arg>
String to prepend to hostname(s) when determining DN (default:CN=
)--nifiDnSuffix <arg>
String to append to hostname(s) when determining DN (default:, OU=NIFI
)-o
,--outputDirectory <arg>
The directory to output keystores, truststore, config files (default:../bin
)-O
,--isOverwrite
Overwrite existing host output-P
,--trustStorePassword <arg>
Keystore password to use. Must either be one value or one for each host (auto-generate if not specified)-s
,--signingAlgorithm <arg>
Algorithm to use for signing certificates (default:SHA256WITHRSA
)-S
,--keyStorePassword <arg>
Keystore password to use. Must either be one value or one for each host (auto-generate if not specified)--subjectAlternativeNames <arg>
Comma-separated list of domains to use as Subject Alternative Names in the certificate-T
,--keyStoreType <arg>
The type of keystores to generate (default:jks
)
Hostname Patterns:
Square brackets can be used in order to easily specify a range of hostnames. Example:
[01-20]
Parentheses can be used in order to specify that more than one NiFi instance will run on the given host(s). Example:
(5)
Examples:
Create 4 sets of keystore, truststore, nifi.properties for localhost along with a client certificate with the given DN:
bin/tls-toolkit.sh standalone -n 'localhost(4)' -C 'CN=username,OU=NIFI'
Create keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains:
bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain'
Create 2 sets of keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains along with a client certificate with the given DN:
bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI'