Usage
To show help:
./bin/tls-toolkit.sh standalone -h
The following are available options:
-
-a
,--keyAlgorithm <arg>
Algorithm to use for generated keys (default:RSA
) -
--additionalCACertificate <arg>
Path to additional CA certificate (used to sign toolkit CA certificate) in PEM format if necessary -
-B
,--clientCertPassword <arg>
Password for client certificate. Must either be one value or one for each client DN (auto-generate if not specified) -
-c
,--certificateAuthorityHostname <arg>
Hostname of NiFi Certificate Authority (default:localhost
) -
-C
,--clientCertDn <arg>
Generate client certificate suitable for use in browser with specified DN (Can be specified multiple times) -
-d
,--days <arg>
Number of days issued certificate should be valid for (default:825
) -
-f
,--nifiPropertiesFile <arg>
Base nifi.properties file to update (Embedded file identical to the one in a default NiFi install will be used if not specified) -
-g
,--differentKeyAndKeystorePasswords
Use different generated password for the key and the keystore -
-G
,--globalPortSequence <arg>
Use sequential ports that are calculated for all hosts according to the provided hostname expressions (Can be specified multiple times, MUST BE SAME FROM RUN TO RUN) -
-h
,--help
Print help and exit -
-k
,--keySize <arg>
Number of bits for generated keys (default:2048
) -
-K
,--keyPassword <arg>
Key password to use. Must either be one value or one for each host (auto-generate if not specified) -
-n
,--hostnames <arg>
Comma separated list of hostnames -
--nifiDnPrefix <arg>
String to prepend to hostname(s) when determining DN (default:CN=
) -
--nifiDnSuffix <arg>
String to append to hostname(s) when determining DN (default:, OU=NIFI
) -
-o
,--outputDirectory <arg>
The directory to output keystores, truststore, config files (default:../bin
) -
-O
,--isOverwrite
Overwrite existing host output -
-P
,--trustStorePassword <arg>
Keystore password to use. Must either be one value or one for each host (auto-generate if not specified) -
-s
,--signingAlgorithm <arg>
Algorithm to use for signing certificates (default:SHA256WITHRSA
) -
-S
,--keyStorePassword <arg>
Keystore password to use. Must either be one value or one for each host (auto-generate if not specified) -
--subjectAlternativeNames <arg>
Comma-separated list of domains to use as Subject Alternative Names in the certificate -
-T
,--keyStoreType <arg>
The type of keystores to generate (default:jks
)
"Hostname" and "Subject Alternative Name" Patterns:
-
Square brackets can be used in order to easily specify a range of hostnames or subject alternative names. Example:
[01-20]
-
Parentheses can be used in order to specify that more than one NiFi instance will run on the given host(s). Example:
(5)
Examples:
Create 4 sets of keystore, truststore, nifi.properties for localhost along with a client certificate with the given DN:
bin/tls-toolkit.sh standalone -n 'localhost(4)' -C 'CN=username,OU=NIFI'
Create keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains:
bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain'
Create 2 sets of keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains along with a client certificate with the given DN:
bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI'
The same command with a range of subject alternate names:
bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI' --subjectAlternativeNames 'nifi[21-30].other[2-5].example.com(2)'