Security: updated cert gen for NiFi and root certs to allow subject a…

…lt names.
CogStack · Nov 26, 2024 · 6543ea9 · 6543ea9
1 parent 12d9261
commit 6543ea9
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 3 deletions.
diff --git a/security/certificates_general.env b/security/certificates_general.env
@@ -3,6 +3,7 @@
 ROOT_CERTIFICATE_NAME=root-ca
 ROOT_CERTIFICATE_KEY_PASSWORD=cogstackNifi
 ROOT_CERTIFICATE_SUBJ_LINE="/C=UK/ST=UK/L=UK/O=cogstack/OU=cogstack/CN=cogstack"
+ROOT_CERTIFICATE_SUBJ_ALT_NAMES="subjectAltName=DNS:cogstack-net.test"
 ROOT_CERTIFICATE_ALIAS_NAME=root-ca
 ROOT_CERTIFICATE_TIME_VAILIDITY_IN_DAYS=730
 ROOT_CERTIFICATE_KEY_SIZE=4096
diff --git a/security/certificates_nifi.env b/security/certificates_nifi.env
@@ -2,4 +2,5 @@
 NIFI_TOOLKIT_VERSION="1.24.0"
 NIFI_CERTIFICATE_TIME_VAILIDITY_IN_DAYS=730
 NIFI_SUBJ_LINE_CERTIFICATE_CN="CN=cogstack,OU=NIFI,C=UK,ST=UK,L=UK,O=cogstack"
-NIFI_KEY_PASSWORD=cogstackNifi
+NIFI_KEY_PASSWORD=cogstackNifi
+NIFI_SUBJ_ALT_NAMES="test[1-6].cogstack.net"
diff --git a/security/create_root_ca_cert.sh b/security/create_root_ca_cert.sh
@@ -28,6 +28,13 @@ else
     ROOT_CERTIFICATE_SUBJ_LINE=${ROOT_CERTIFICATE_SUBJ_LINE}
 fi
 
+if [[ -z "${ROOT_CERTIFICATE_SUBJ_ALT_NAMES}" ]]; then
+    ROOT_CERTIFICATE_SUBJ_ALT_NAMES="subjectAltName=DNS:cogstack-net.test"
+    echo "ROOT_CERTIFICATE_SUBJ_ALT_NAMES not set, defaulting to ROOT_CERTIFICATE_SUBJ_ALT_NAMES=subjectAltName=DNS:cogstack-net.test"
+else
+    ROOT_CERTIFICATE_SUBJ_ALT_NAMES=${ROOT_CERTIFICATE_SUBJ_ALT_NAMES}
+fi
+
 if [[ -z "${ROOT_CERTIFICATE_ALIAS_NAME}" ]]; then
     ROOT_CERTIFICATE_ALIAS_NAME=$ROOT_CERTIFICATE_NAME
     echo "ROOT_CERTIFICATE_ALIAS_NAME not set, defaulting to ROOT_CERTIFICATE_ALIAS_NAME=$ROOT_CERTIFICATE_NAME"
@@ -56,7 +63,7 @@ echo "Generating root CA key"
 openssl genrsa -out $CA_ROOT_KEY $ROOT_CERTIFICATE_KEY_SIZE
 
 echo "Generating root CA cert"
-openssl req -x509 -new -key $CA_ROOT_KEY -sha256 -out $CA_ROOT_CERT -days $ROOT_CERTIFICATE_TIME_VAILIDITY_IN_DAYS -subj $ROOT_CERTIFICATE_SUBJ_LINE
+openssl req -x509 -new -key $CA_ROOT_KEY -sha256 -out $CA_ROOT_CERT -days $ROOT_CERTIFICATE_TIME_VAILIDITY_IN_DAYS -subj $ROOT_CERTIFICATE_SUBJ_LINE -addext $ROOT_CERTIFICATE_SUBJ_ALT_NAMES 
 
 # create p12 version manually
 echo "Generation pkcs12 keystore"

diff --git a/security/nifi_toolkit_security.sh b/security/nifi_toolkit_security.sh
@@ -52,6 +52,16 @@ else
 fi
 
 
+if [[ -z "${NIFI_SUBJ_ALT_NAMES}" ]]; then
+    NIFI_SUBJ_ALT_NAMES="test[1-6].cogstack.net"
+    echo "NIFI_SUBJ_ALT_NAMES not set, defaulting to NIFI_SUBJ_ALT_NAMES=test[1-6].cogstack.net"
+else
+    NIFI_SUBJ_ALT_NAMES=${NIFI_SUBJ_ALT_NAMES}
+fi
+
+
+
+
 # IMPRTANT: this is used in StandardSSLContextService controllers on the NiFi side, trusted keystore password field.
 if [[ -z "${NIFI_KEY_PASSWORD}" ]]; then
     NIFI_KEY_PASSWORD="cogstackNifi"
@@ -72,7 +82,7 @@ export JAVA_OPTS="-Xmx2048m -Xms2048m"
 
 for win_os in ${windows_unames[@]}; do
     if [[ $win_os == *"$os_name"* ]]; then
-        ./nifi_toolkit/bin/tls-toolkit.bat standalone -k $KEY_SIZE -n $HOSTNAMES -o $OUTPUT_DIRECTORY -O -f $PATH_TO_NIFI_PROPERTIES_FILE -d $NIFI_CERTIFICATE_TIME_VAILIDITY_IN_DAYS -C $NIFI_SUBJ_LINE_CERTIFICATE_CN -K $NIFI_KEY_PASSWORD
+        ./nifi_toolkit/bin/tls-toolkit.bat standalone -k $KEY_SIZE -n $HOSTNAMES -o $OUTPUT_DIRECTORY -O -f $PATH_TO_NIFI_PROPERTIES_FILE -d $NIFI_CERTIFICATE_TIME_VAILIDITY_IN_DAYS -C $NIFI_SUBJ_LINE_CERTIFICATE_CN -K $NIFI_KEY_PASSWORD --subjectAlternativeNames $NIFI_SUBJ_ALT_NAMES
         is_os_windows=1
     fi
 done