Enabling HTTPS through default configuration properties requires the presence of keystore and truststore files. For default standalone installations, this requires generating a self-signed certificate and private key for storage in a keystore. The certificate should be stored in a truststore and both files should be placed in a standard location within the NiFi home directory.
The following requirements should be considered as part of the implementation:
- Keystore and Truststore format should be PKCS12
- Keystore and Truststore passwords should use secure random generation
- The self-signed certificate must contain at least one DNS Subject Alternative Name
The following implementation questions should be addressed as part of the implementation:
- Should the certificate subject always use localhost or should other host addresses be evaluated and added as subject alternative names?
- What is the default expiration for the generated certificate? Something short should be considered to encourage provisioning a certificate through other means