@Andy LoPresto I fully understand what you wrote regarding certs in the admin guide, however as you already mentioned, in my point of view this certificate stuff is really a pain. We have lost multiple days to get it running together with LDAP, just because of the complexity of the whole configuration. And after the upgrade to 1.7.0 we had again issues because of certs and the bug...
Let me explain why we use wildcard certs. We have to use our company CA and we have to manually insert the CSR on a website (with some additional parameters) to get the certificate signed. If we have to do that for 20 nodes or even more, this would be a huge work. Additionally our network where the NiFi Nodes are, is a subnet secured by a firewall, so it's not possible to connect from outside through the cluster port. If an attacker is inside the subnet and is able to create a NiFi Node who can join the cluster (with the certificate and the password for the keystore), then we would anyway have bigger problems. But yes of course, wildcard certs are less secure. *Two questions for you:* 1. We used the wildcard certs already in NiFi 1.5.0 in our lab, however we would like to go live with 1.7.1 now. If we haven't seen any issues on NiFi 1.5.0 with the wildcard certs, how likely would it be that we see some issues on 1.7.1? 2. Somewhere I've read that in an optimal world (eg. with the NiFi TLS Certkit) we should have a Cert with a unique DN and as well use the same DN for the SAN per node. Would it be ok to have the following: 3-Node Cluster Environment: nifi-node-1, nifi-node-2, nifi-node-3 One Keystore Certificate for all NiFi nodes with the following attributes: -> DN "CN=NiFi Apache"; -> SAN = nifi-node-1, nifi-node-2, nifi-node-3 Background is the following, we are planning a loadbalancer in front of NiFi Webgui and I don't see any solution to get the whole thing work without the procedure above. Today we use wildcard, with that we are good to go. But as you already mentioned multiple times that wildcards are not supported we are looking for some alternatives. Thanks in advance Josef -- Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
