TLS/SSL certificate requirements and recommendations

If you use your own enterprise-generated certificates, you would need to manually configure TLS.

Before you manually configure TLS, ensure that the certificate that you use meets the following requirements.

Certificate Requirements

Verify the following minimum requirements:
  • The KeyStore must contain only one PrivateKeyEntry. Using multiple private keys in one KeyStore is not supported.
  • The KeyStore password and key/certificate password must be the same or no password should be set on the certificate.
  • The unique KeyStores used on each NiFi cluster node must use the same KeyStore password and key/certificate password. Ambari and Cloudera Manager do not support defining unique passwords per NiFi host.
  • The X509v3 ExtendedKeyUsages section of the certificate must have the following attributes:
    • clientAuth - This attribute is for TLS web client authentication.
    • serverAuth - This attribute is for TLS web server authentication.
  • The signature algorithm used for the certificate must be sha256WithRSAEncryption (SHA-256).
  • The certificates must not use wildcards. Each cluster node must have its own certificate. If NiFi or NiFi Registry is behind Knox, do not use wildcard certificates for Knox.
  • Subject Alternate Names (SANs) are mandatory and should at least include the FQDN of the host.
  • Additional names for the certificate/host can be added to the certificate as SANs.
    • Add the FQDN used for the CN as a DNS SAN entry.
    • If you are planning to use a load balancer for the NiFi service, include the FQDN for the load balancer as a DNS SAN entry.
  • The X509v3 KeyUsage section of the certificate must include the following attributes:
    • DigitalSignature
    • Key_Encipherment

Cloudera Recommendations

Cloudera recommends the following security protocols:
  • Use certificates that are signed by a CA. Do not issue self-signed certificates.
  • Generate a unique certificate per host.