Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
I was testing secured NiFi and NiFi Registry on macOS 10.15.2 using certs generated by the TLS Toolkit. I was able to access the UIs of both apps using Safari but not able to with Chrome due to a NET::ERR_CERT_REVOKED error which I had never seen before. Turns out this is a known issue on Catalina (https://support.apple.com/en-us/HT210176). macOSX 10.15 requires certs to be:
- valid for 825 days or less
- a minimum 2048 bit key
By default, the TLS Toolkit sets the number of days the cert should be valid for to 1095 days and the number of bits for generated keys to 2048. Generating new certs with the required 825 validity solved the issue.
We should document this in the Toolkit Guide for the Mac users in the NiFi community.
Attachments
Issue Links
- is related to
-
NIFI-7082 In tls-toolkit, change default validity of to 825 days or less
- Resolved
- links to
Plan to add the following note:
Please note that there are new requirements for trusted certificates in macOS 10.15. Details can be found here, but of particular importance is that all TLS server certificates issued after July 1, 2019 must have a validity period of 825 days or less. Because the TLS Toolkit defaults this value to 1,095 days, the validity period should be explicitly set to meet this requirement (using the --days option) when generating certificates for macOS 10.15.