Administration
Also available as:
PDF
loading table of contents...
Client

The client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running ./bin/tls-toolkit.sh client -h which prints the usage information along with descriptions of options that can be specified.

You can use the following command line options with the tls-toolkit in client mode:

  • -a,--keyAlgorithm <arg> Algorithm to use for generated keys (default: RSA)

  • -c,--certificateAuthorityHostname <arg> Hostname of NiFi Certificate Authority (default: localhost)

  • -C,--certificateDirectory <arg> The directory to write the CA certificate (default: .)

  • --configJsonIn <arg> The place to read configuration info from, implies useConfigJson if set (default: configJson value)

  • -D,--dn <arg> The DN to use for the client certificate (default: CN=<localhost name>,OU=NIFI) (this is auto-populated by the tool)

  • -f,--configJson <arg> The place to write configuration info (default: config.json)

  • -F,--useConfigJson Flag specifying that all configuration is read from configJson to facilitate automated use (otherwise configJson will only be written to)

  • -g,--differentKeyAndKeystorePasswords Use different generated password for the key and the keystore

  • -h,--help Print help and exit

  • -k,--keySize <arg> Number of bits for generated keys (default: 2048)

  • -p,--PORT <arg> The port to use to communicate with the Certificate Authority (default: 8443)

  • --subjectAlternativeNames <arg> Comma-separated list of domains to use as Subject Alternative Names in the certificate

  • -T,--keyStoreType <arg> The type of keystores to generate (default: jks)

  • -t,--token <arg> The token to use to prevent MITM (required and must be same as one used by CA)

After running the client you will have the CA's certificate, a keystore, a truststore, and a config.json with information about them as well as their passwords.

For a client certificate that can be easily imported into the browser, specify: -T PKCS12