TLS certificate requirements and recommendations
If you use your own enterprise-generated certificates, you would need to manually configure TLS.
Before you manually configure TLS, ensure that the certificate that you use meets the following requirements.
Verify the following minimum requirements:
- The KeyStore must contain only one PrivateKeyEntry. Using multiple private keys in one KeyStore is not supported.
- The KeyStore password and key/certificate password must be the same or no password should be set on the certificate.
- The unique KeyStores used on each NiFi cluster node must use the same KeyStore password and key/certificate password. Ambari and Cloudera Manager do not support defining unique passwords per NiFi host.
- The X509v3 ExtendedKeyUsages section of the certificate must have
the following attributes:
- clientAuth - This attribute is for TLS web client authentication.
- serverAuth - This attribute is for TLS web server authentication.
- The signature algorithm used for the certificate must be
- The certificates must not use wildcards. Each cluster node must have its own certificate. If NiFi or NiFi Registry is behind Knox, do not use wildcard certificates for Knox.
- Subject Alternate Names (SANs) are mandatory and should at least include the FQDN of the host.
- Additional names for the certificate/host can be added to the certificate as SANs.
- Add the FQDN used for the CN as a DNS SAN entry.
- If you are planning to use a load balancer for the NiFi service, include the FQDN for the load balancer as a DNS SAN entry.
- The X509v3 KeyUsage section of the certificate must include the
Cloudera recommends the following security protocols:
- Use certificates that are signed by a CA. Do not issue self-signed certificates.
- Generate a unique certificate per host.