Administration
Also available as:
PDF
loading table of contents...
Client

The client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running ./bin/tls-toolkit.sh client -h which prints the usage information along with descriptions of options that can be specified.

The most common options to specify are:

  • -f,--configJson The json config file

  • -c,--certificateAuthorityHostname The hostname of the CA

  • -D,--DN The DN for the CSR (and Certificate)

  • -t,--token The token used to prevent man in the middle attacks (this should be a long, random value and needs to be the same one used to start the CA server)

  • -T,--keyStoreType The type of keystore to create (leave default for NiFi nodes, specify PKCS12 to create client cert)

After running the client you will have the CA's certificate, a keystore, a truststore, and a config.json with information about them as well as their passwords.

For a client certificate that can be easily imported into the browser, specify: -T PKCS12