[
https://issues.apache.org/jira/browse/NIFI-7053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17021478#comment-17021478
]
Andrew M. Lim edited comment on NIFI-7053 at 1/22/20 8:29 PM:
--------------------------------------------------------------
Plan to add the following note:
Please note that there are new requirements for trusted certificates in macOS
10.15. Details can be found [here|[https://support.apple.com/en-us/HT210176]],
but of particular importance is that all TLS server certificates issued after
July 1, 2019 must have a validity period of 825 days or less. Because the TLS
Toolkit defaults this value to 1,095 days, the validity period should be
explicitly set to meet this requirement (using the {{--days}} option) when
generating certificates for macOS 10.15.
was (Author: andrewmlim):
Plan to add the following note:
Please note that there are new requirements for trusted certificates in macOS
10.15. Details can be found [here|[https://support.apple.com/en-us/HT210176]],
but of particular importance is that all TLS server certificates issued after
July 1, 2019 must have a validity period of 825 days or less. Because the TLS
Toolkit defaults this value to 1,095 days, the validity period should be
explicitly set to meet this requirement (using the {{--days}} option) when
generating certificates for macOS 10.15.
> Update Toolkit Guide with macOS 10.15 trusted certificate requirements (2048
> bit key and max of 825 days of validity)
> ----------------------------------------------------------------------------------------------------------------------
>
> Key: NIFI-7053
> URL: https://issues.apache.org/jira/browse/NIFI-7053
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Documentation & Website, Security
> Reporter: Andrew M. Lim
> Assignee: Andrew M. Lim
> Priority: Major
>
> I was testing secured NiFi and NiFi Registry on macOS 10.15.2 using certs
> generated by the TLS Toolkit. I was able to access the UIs of both apps
> using Safari but not able to with Chrome due to a NET::ERR_CERT_REVOKED error
> which I had never seen before. Turns out this is a known issue on Catalina
> ([https://support.apple.com/en-us/HT210176]). macOSX 10.15 requires certs to
> be:
> * valid for 825 days or less
> * a minimum 2048 bit key
> By default, the TLS Toolkit sets the number of days the cert should be valid
> for to 1095 days and the number of bits for generated keys to 2048.
> Generating new certs with the required 825 validity solved the issue.
> We should document this in the Toolkit Guide for the Mac users in the NiFi
> community.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
