From d80875e6bad48ff004495aa03a496453252803f0 Mon Sep 17 00:00:00 2001 From: Andrew Lim Date: Fri, 31 Jan 2020 13:18:05 -0500 Subject: [PATCH] =?UTF-8?q?NIFI-7053=20Update=20Toolkit=20Guide=20with=20m?= =?UTF-8?q?acOS=2010.15=20requirements=20for=20trus=E2=80=A6=20(#4018)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trusted certificates * Simplified note about trusted certs in macOS 10.15 Signed-off-by: Andy LoPresto --- nifi-docs/src/main/asciidoc/toolkit-guide.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nifi-docs/src/main/asciidoc/toolkit-guide.adoc b/nifi-docs/src/main/asciidoc/toolkit-guide.adoc index 44e67e231c..baaf55565f 100644 --- a/nifi-docs/src/main/asciidoc/toolkit-guide.adoc +++ b/nifi-docs/src/main/asciidoc/toolkit-guide.adoc @@ -721,6 +721,8 @@ Example usage to send a FlowFile with the contents of "hey nifi" to a local unse == TLS Toolkit In order to facilitate the secure setup of NiFi, you can use the `tls-toolkit` command line utility to automatically generate the required keystores, truststore, and relevant configuration files. This is especially useful for securing multiple NiFi nodes, which can be a tedious and error-prone process. +NOTE: Please note that there are new requirements for trusted certificates in macOS 10.15. Details can be found link:https://support.apple.com/en-us/HT210176[here^], but of particular importance is that all TLS server certificates issued after July 1, 2019 must have a validity period of 825 days or less. + [[wildcard_certificates]] === Wildcard Certificates Wildcard certificates (i.e. two nodes `node1.nifi.apache.org` and `node2.nifi.apache.org` being assigned the same certificate with a CN or SAN entry of `+*.nifi.apache.org+`) are *not officially supported* and *not recommended*. There are numerous disadvantages to using wildcard certificates, and a cluster working with wildcard certificates has occurred in previous versions out of lucky accidents, not intentional support. Wildcard SAN entries are acceptable *if* each cert maintains an additional unique SAN entry and CN entry.