Client/Server
Client/Server mode relies on a long-running Certificate Authority (CA) to issue certificates. The CA can be stopped when you're not bringing nodes online.
Server
CA server mode is invoked by running ./bin/tls-toolkit.sh server
or
bin\tls-toolkit.sh server
.
Usage
To show help:
./bin/tls-toolkit.sh server -h
The following are available options:
-
-a
,--keyAlgorithm <arg>
Algorithm to use for generated keys (default:RSA
) -
--configJsonIn <arg>
The place to read configuration info from (defaults to the value of configJson), implies useConfigJson if set (default:configJson
value) -
-d
,--days <arg>
Number of days issued certificate should be valid for (default:825
) -
-D
,--dn <arg>
The dn to use for the CA certificate (default:CN=YOUR_CA_HOSTNAME,OU=NIFI
) -
-f
,--configJson <arg>
The place to write configuration info (default:config.json
) -
-F
,--useConfigJson
Flag specifying that all configuration is read fromconfigJson
to facilitate automated use (otherwiseconfigJson
will only be written to) -
-g
,--differentKeyAndKeystorePasswords
Use different generated password for the key and the keystore -
-h
,--help
Print help and exit -
-k
,--keySize <arg>
Number of bits for generated keys (default:2048
) -
-p
,--PORT <arg>
The port for the Certificate Authority to listen on (default:9443
) -
-s
,--signingAlgorithm <arg>
Algorithm to use for signing certificates (default:SHA256WITHRSA
) -
-T
,--keyStoreType <arg>
The type of keystores to generate (default:jks
) -
-t
,--token <arg>
The token to use to prevent MITM (required and must be same as one used by clients)
Client
The client can be used to request new Certificates from the CA. The client utility
generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the
Certificate Authority. CA client mode is invoked by running ./bin/tls-toolkit.sh
client
or bin\tls-toolkit.sh client
.
Usage
To show help:
./bin/tls-toolkit.sh client -h
The following are available options:
-
-a
,--keyAlgorithm <arg>
Algorithm to use for generated keys (default:RSA
) -
-c
,--certificateAuthorityHostname <arg>
Hostname of NiFi Certificate Authority (default:localhost
) -
-C
,--certificateDirectory <arg>
The directory to write the CA certificate (default:.
) -
--configJsonIn <arg>
The place to read configuration info from, impliesuseConfigJson
if set (default:configJson
value) -
-D
,--dn <arg>
The DN to use for the client certificate (default:CN=<localhost name>,OU=NIFI
) (this is auto-populated by the tool) -
-f
,--configJson <arg>
The place to write configuration info (default:config.json
) -
-F
,--useConfigJson
Flag specifying that all configuration is read fromconfigJson
to facilitate automated use (otherwiseconfigJson
will only be written to) -
-g
,--differentKeyAndKeystorePasswords
Use different generated password for the key and the keystore -
-h
,--help
Print help and exit -
-k
,--keySize <arg>
Number of bits for generated keys (default:2048
) -
-p
,--PORT <arg>
The port to use to communicate with the Certificate Authority (default:9443
) -
--subjectAlternativeNames <arg>
Comma-separated list of domains to use as Subject Alternative Names in the certificate -
-T
,--keyStoreType <arg>
The type of keystores to generate (default:jks
) -
-t
,--token <arg>
The token to use to prevent MITM (required and must be same as one used by CA)
After running the client you will have the CA's certificate, a keystore, a truststore,
and a config.json
with information about them as well as their
passwords.
For a client certificate that can be easily imported into the browser, specify:
-T PKCS12
.