Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-7053

Update Toolkit Guide with macOS 10.15 trusted certificate requirements (2048 bit key and max of 825 days of validity)

Details

    Description

      I was testing secured NiFi and NiFi Registry on macOS 10.15.2 using certs generated by the TLS Toolkit.  I was able to access the UIs of both apps using Safari but not able to with Chrome due to a NET::ERR_CERT_REVOKED error which I had never seen before.  Turns out this is a known issue on Catalina (https://support.apple.com/en-us/HT210176). macOSX 10.15 requires certs to be:

      • valid for 825 days or less
      • a minimum 2048 bit key

      By default, the TLS Toolkit sets the number of days the cert should be valid for to 1095 days and the number of bits for generated keys to 2048. Generating new certs with the required 825 validity solved the issue.

      We should document this in the Toolkit Guide for the Mac users in the NiFi community.

       

      Attachments

        Issue Links

          Activity

            andrewmlim Andrew M. Lim added a comment - - edited

            Plan to add the following note:

            Please note that there are new requirements for trusted certificates in macOS 10.15. Details can be found here, but of particular importance is that all TLS server certificates issued after July 1, 2019 must have a validity period of 825 days or less. Because the TLS Toolkit defaults this value to 1,095 days, the validity period should be explicitly set to meet this requirement (using the --days option) when generating certificates for macOS 10.15.

            andrewmlim Andrew M. Lim added a comment - - edited Plan to add the following note: Please note that there are new requirements for trusted certificates in macOS 10.15. Details can be found  here , but of particular importance is that all TLS server certificates issued after July 1, 2019 must have a validity period of 825 days or less. Because the TLS Toolkit defaults this value to 1,095 days, the validity period should be explicitly set to meet this requirement (using the  --days  option) when generating certificates for macOS 10.15.
            Absolutesantaja Shawn Weeks added a comment -

            Is there any harm in just changing the default so that you don't have to include the option. I already submitted a bug about this to easy-rsa and they updated it.

            Absolutesantaja Shawn Weeks added a comment - Is there any harm in just changing the default so that you don't have to include the option. I already submitted a bug about this to easy-rsa and they updated it.
            alopresto Andy LoPresto added a comment -

            I don't think there is any issue with changing the defaults to be compatible with these new requirements.

            alopresto Andy LoPresto added a comment - I don't think there is any issue with changing the defaults to be compatible with these new requirements.
            andrewmlim Andrew M. Lim added a comment -

            Absolutesantaja, sounds good. I will remove the last sentence of my note so it will read:

            Please note that there are new requirements for trusted certificates in macOS 10.15. Details can be found here, but of particular importance is that all TLS server certificates issued after July 1, 2019 must have a validity period of 825 days or less.

             

            andrewmlim Andrew M. Lim added a comment - Absolutesantaja , sounds good. I will remove the last sentence of my note so it will read: Please note that there are new requirements for trusted certificates in macOS 10.15. Details can be found  here , but of particular importance is that all TLS server certificates issued after July 1, 2019 must have a validity period of 825 days or less.  

            Commit d80875e6bad48ff004495aa03a496453252803f0 in nifi's branch refs/heads/master from Andrew Lim
            [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=d80875e ]

            NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trus… (#4018)

            • NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trusted certificates
            • Simplified note about trusted certs in macOS 10.15

            Signed-off-by: Andy LoPresto <alopresto@apache.org>

            jira-bot ASF subversion and git services added a comment - Commit d80875e6bad48ff004495aa03a496453252803f0 in nifi's branch refs/heads/master from Andrew Lim [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=d80875e ] NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trus… (#4018) NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trusted certificates Simplified note about trusted certs in macOS 10.15 Signed-off-by: Andy LoPresto <alopresto@apache.org>

            Commit d80875e6bad48ff004495aa03a496453252803f0 in nifi's branch refs/heads/master from Andrew Lim
            [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=d80875e ]

            NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trus… (#4018)

            • NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trusted certificates
            • Simplified note about trusted certs in macOS 10.15

            Signed-off-by: Andy LoPresto <alopresto@apache.org>

            jira-bot ASF subversion and git services added a comment - Commit d80875e6bad48ff004495aa03a496453252803f0 in nifi's branch refs/heads/master from Andrew Lim [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=d80875e ] NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trus… (#4018) NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trusted certificates Simplified note about trusted certs in macOS 10.15 Signed-off-by: Andy LoPresto <alopresto@apache.org>
            alopresto Andy LoPresto added a comment -

            While this was not included in the 1.11.1 release, we can manually update the docs on the public site to inform users of this issue.

            alopresto Andy LoPresto added a comment - While this was not included in the 1.11.1 release, we can manually update the docs on the public site to inform users of this issue.

            Commit 85cc5689e636bd3e727872e8feb2834cd7ffeb7a in nifi's branch refs/heads/support/nifi-1.11.x from Andrew Lim
            [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=85cc568 ]

            NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trus… (#4018)

            • NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trusted certificates
            • Simplified note about trusted certs in macOS 10.15

            Signed-off-by: Andy LoPresto <alopresto@apache.org>

            jira-bot ASF subversion and git services added a comment - Commit 85cc5689e636bd3e727872e8feb2834cd7ffeb7a in nifi's branch refs/heads/support/nifi-1.11.x from Andrew Lim [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=85cc568 ] NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trus… (#4018) NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trusted certificates Simplified note about trusted certs in macOS 10.15 Signed-off-by: Andy LoPresto <alopresto@apache.org>

            Commit 85cc5689e636bd3e727872e8feb2834cd7ffeb7a in nifi's branch refs/heads/support/nifi-1.11.x from Andrew Lim
            [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=85cc568 ]

            NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trus… (#4018)

            • NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trusted certificates
            • Simplified note about trusted certs in macOS 10.15

            Signed-off-by: Andy LoPresto <alopresto@apache.org>

            jira-bot ASF subversion and git services added a comment - Commit 85cc5689e636bd3e727872e8feb2834cd7ffeb7a in nifi's branch refs/heads/support/nifi-1.11.x from Andrew Lim [ https://gitbox.apache.org/repos/asf?p=nifi.git;h=85cc568 ] NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trus… (#4018) NIFI-7053 Update Toolkit Guide with macOS 10.15 requirements for trusted certificates Simplified note about trusted certs in macOS 10.15 Signed-off-by: Andy LoPresto <alopresto@apache.org>

            People

              andrewmlim Andrew M. Lim
              andrewmlim Andrew M. Lim
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 40m
                  40m