Get Client Certificates for Authentication
After you install NiFi CA, you can use the NiFi Toolkit to generate a client certificate for users you wish to authenticate. You can do this with NiFi Toolkit binaries running locally or located on agent machines where CFM is installed.
Example of creating a client certificate using the NiFi Toolkit in CFM parcel:
#ensure java home is set before execution <parcel_home_dir>/CFM/TOOLKIT/bin/tls-toolkit.sh client -c <nifi-ca-host-fdqn> -t <nifi-ca-token> -p <nifi-ca-port -D <user-dn> -T PKCS12
pkcs12 keystore is created, use the password information from
config.json to import the
keystore.pkcs12 file into
When you are logging into a secured NiFi or NiFi Registry instance, services search first for any client certificate imported in the browser for authentication. If the client certificate exists and the certificate DN/Identity represents a user that is authorized to access the UI or Flow (as an initial admin or manually configured user in NiFi/NiFi Registry), they are successfully logged in. Otherwise, if a login-identity provider is configured for Kerberos/LDAP, a login screen displays.