Potential issues with wildcard certificates

  • In many places throughout the codebase, cluster communications use certificate identities many times to identify a node, and if the certificate simply presents a wildcard DN, that doesn't resolve to a specific node

  • Admins may need to provide a custom node identity in authorizers.xml for *.nifi.apache.org because all proxy actions only resolve to the cert DN (see the User Authentication section in the System Administrator's Guide for more information).

  • Admins have no traceability into which node performed an action because they all resolve to the same DN

  • Admins running multiple instances on the same machine using different ports to identify them can accidentally put node1 hostname with node2 port, and the address will resolve fine because it's using the same certificate, but the host header handler will block it because the node1 hostname is (correctly) not listed as an acceptable host for node2 instance

  • If the wildcard certificate is compromised, all nodes are compromised