Hi Anushree, Trying to answer the first part of the question :
*Server Name Indication ( SNI )* is an extension to the Transport Layer Security (TLS) networking protocol for a client to indicate to the server which site it wishes to talk to. To put it simply, SNI is used at the start of the secure connection handshake between client and server. The client sends a Host header in the request to *indicate* what site it is requesting and the server goes looking for its certificate for that *server name*. While a server certificate is sent back as a security layer, a client can validate the certificate sent and decide whether the hostname in the certificate matches the exact CN, alternatively you can specify the SAN that works. The *SAN (Subject Alternative Name)* is an extension of the X.509 specification that allows multiple domain names to be protected under a single SSL certificate. When requesting an SSL certificate from a Certificate Authority (CA), ensure that you select a *Multi-domain (SAN) SSL Certificate* option. This type of certificate allows you to secure multiple domains or subdomains using a single SSL certificate -- this can help with your infrastructure ask. About how to generate the certificates : *NiFi Toolkit(2.2.0) no longer includes tls-toolkit.sh*, which was previously used for certificate generation.* You can always use free tools like *keystore explorer (with a UI), or use the openssl tools with keytool that is packaged in the JDK itself.* Regards, Utkarsh Srivastava On Thu, Jan 30, 2025 at 5:51 AM Anushree Shah <anushreems...@gmail.com> wrote: > *Dear Apache NiFi Support Team,* > > I am trying to set up Apache NiFi on a *Linux server using Docker*, but I > am encountering an *"Invalid SNI" error* when attempting to access it. > > From my research, I understand that the issue is likely due to the > *hostname > used in the TLS certificates*, and the resolution would involve generating > certificates with the *server’s hostname*. However, I am facing > difficulties because the latest version of the *NiFi Toolkit(2.2.0) no > longer includes tls-toolkit.sh*, which was previously used for certificate > generation. The new CLI structure does not seem to provide a > straightforward way to generate the necessary certificates for my setup. > *I would appreciate your guidance on the following:* > > 1. *Certificate Generation:* What is the recommended approach for > generating TLS certificates for a *Docker-based NiFi setup* on a Linux > server, given that tls-toolkit.sh is no longer available? > 2. *NiFi Setup Across the Organization:* I aim to have *NiFi running > across the organization* for *validating data pipelines*. Could you > provide best practices or recommended steps for setting up NiFi in > an *enterprise > environment* to ensure scalability, security, and ease of integration? > > Any documentation, examples, or guidance would be highly appreciated. > > Thank you for your time and support. > > *Best regards,* > Anushree Shah >
