Generating Client Certificates

If you are using a CA, you can use the TLS Toolkit provided in the HDF management pack to generate the required client certificates so that you can log into NiFi after enabling SSL.

1. Navigate the TLS Toolkit directory, which will be similar to:

   cd /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-$version
                        

   For example:

   cd /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.1.0.2.1.3.0-6

2. From the command line, run the following:

   bin/tls-toolkit.sh client
   -c <CA host name>
   -D "<distinguished name>"
   -p <CA host port>
   -t <NiFi CA token>
   -T <keystore type>

   Your command should look similar to:

   bin/tls-toolkit.sh client
   -c nifi.cert.authority.example.com
   -D "CN=admin, OU=NIFI"
   -t nifi
   -p 10443
   -T pkcs12

3. To get your keystore password, enter:

   cat config.json

4. Verify that the installation directory contains the following two files:

   • keystore.pkcs12

   • nifi-cert.pem

5. To double-click your keystore file to launch your OS certificate management application, change keystore.pkcs12 to keystore.p12.
6. Import the nifi-cert.pem file as your trusted CA.
7. Import keystore.pkcs12 as the client certificate.

Re-running the TLS Toolkit generates a new set of keystore and configuration files. To avoid having your files overwritten, save the keystore and configuration files to an alternate location before re-running the TLS Toolkit.