Cloudera Docs

Enable TLS with External Certificates

You can use an external CA or external self-signed certificates by updating some of the configuration values in Cloudera Manager.

Review the TLS certificate requirements and recommendations to ensure that your certificates meet CFM's certificate requirements.

  1. In the NiFi Toolkit CA Service field, deselect the Toolkit CA Service by setting the radio button to None.
  2. In the Enable TLS/SSL field, enable TLS by clicking the NiFi Node Default Group box.
  3. Update keystore and truststore information for provided certificates.
  4. Review Auto-generate Node Identities settings to ensure prefix and suffix match those in certificates.

    For auto-generate to work successfully externally created certificates should identify, within the common name, the fully qualified hostname for each agent running a nifi node e.g. CN=hostname.local, OU=NIFI.