Apache NiFi Toolkit Guide
Also available as:
PDF

Standalone

Standalone mode is invoked by running ./bin/tls-toolkit.sh standalone or bin\tls-toolkit.sh standalone.

Usage

To show help:

./bin/tls-toolkit.sh standalone -h

The following are available options:

  • -a,--keyAlgorithm <arg> Algorithm to use for generated keys (default: RSA)

  • --additionalCACertificate <arg> Path to additional CA certificate (used to sign toolkit CA certificate) in PEM format if necessary

  • -B,--clientCertPassword <arg> Password for client certificate. Must either be one value or one for each client DN (auto-generate if not specified)

  • -c,--certificateAuthorityHostname <arg> Hostname of NiFi Certificate Authority (default: localhost)

  • -C,--clientCertDn <arg> Generate client certificate suitable for use in browser with specified DN (Can be specified multiple times)

  • -d,--days <arg> Number of days issued certificate should be valid for (default: 825)

  • -f,--nifiPropertiesFile <arg> Base nifi.properties file to update (Embedded file identical to the one in a default NiFi install will be used if not specified)

  • -g,--differentKeyAndKeystorePasswords Use different generated password for the key and the keystore

  • -G,--globalPortSequence <arg> Use sequential ports that are calculated for all hosts according to the provided hostname expressions (Can be specified multiple times, MUST BE SAME FROM RUN TO RUN)

  • -h,--help Print help and exit

  • -k,--keySize <arg> Number of bits for generated keys (default: 2048)

  • -K,--keyPassword <arg> Key password to use. Must either be one value or one for each host (auto-generate if not specified)

  • -n,--hostnames <arg> Comma separated list of hostnames

  • --nifiDnPrefix <arg> String to prepend to hostname(s) when determining DN (default: CN=)

  • --nifiDnSuffix <arg> String to append to hostname(s) when determining DN (default: , OU=NIFI)

  • -o,--outputDirectory <arg> The directory to output keystores, truststore, config files (default: ../bin)

  • -O,--isOverwrite Overwrite existing host output

  • -P,--trustStorePassword <arg> Keystore password to use. Must either be one value or one for each host (auto-generate if not specified)

  • -s,--signingAlgorithm <arg> Algorithm to use for signing certificates (default: SHA256WITHRSA)

  • -S,--keyStorePassword <arg> Keystore password to use. Must either be one value or one for each host (auto-generate if not specified)

  • --subjectAlternativeNames <arg> Comma-separated list of domains to use as Subject Alternative Names in the certificate

  • -T,--keyStoreType <arg> The type of keystores to generate (default: jks)

"Hostname" and "Subject Alternative Name" Patterns:

  • Square brackets can be used in order to easily specify a range of hostnames or subject alternative names. Example: [01-20]

  • Parentheses can be used in order to specify that more than one NiFi instance will run on the given host(s). Example: (5)

Examples:

Create 4 sets of keystore, truststore, nifi.properties for localhost along with a client certificate with the given DN:

bin/tls-toolkit.sh standalone -n 'localhost(4)' -C 'CN=username,OU=NIFI'

Create keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains:

bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain'

Create 2 sets of keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains along with a client certificate with the given DN:

bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI'

The same command with a range of subject alternate names:

bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI' --subjectAlternativeNames 'nifi[21-30].other[2-5].example.com(2)'