Encrypting Data in TransitPDF version

TLS/SSL certificate requirements and recommendations

If you use your own enterprise-generated certificates, you would need to manually configure TLS.

Before you manually configure TLS, ensure that the certificate that you use meets the following requirements.

Verify the following minimum requirements:
  • The KeyStore must contain only one PrivateKeyEntry. Using multiple private keys in one KeyStore is not supported.
  • The KeyStore password and key/certificate password must be the same or no password should be set on the certificate.
  • The unique KeyStores used on each NiFi cluster node must use the same KeyStore password and key/certificate password. Ambari and Cloudera Manager do not support defining unique passwords per NiFi host.
  • The X509v3 ExtendedKeyUsages section of the certificate must have the following attributes:
    • clientAuth - This attribute is for TLS web client authentication.
    • serverAuth - This attribute is for TLS web server authentication.
  • The signature algorithm used for the certificate must be sha256WithRSAEncryption (SHA-256).
  • The certificates must not use wildcards. Each cluster node must have its own certificate. If NiFi or NiFi Registry is behind Knox, do not use wildcard certificates for Knox.
  • Subject Alternate Names (SANs) are mandatory and should at least include the FQDN of the host.
  • Additional names for the certificate/host can be added to the certificate as SANs.
    • Add the FQDN used for the CN as a DNS SAN entry.
    • If you are planning to use a load balancer for the NiFi service, include the FQDN for the load balancer as a DNS SAN entry.
  • The X509v3 KeyUsage section of the certificate must include the following attributes:
    • DigitalSignature
    • Key_Encipherment
Cloudera recommends the following security protocols:
  • Use certificates that are signed by a CA. Do not issue self-signed certificates.
  • Generate a unique certificate per host.