diff --git a/README.md b/README.md index aafca84..47700bf 100644 --- a/README.md +++ b/README.md @@ -4,31 +4,41 @@ This script generates x509 server certificate (with all IPs in SAN) signed by a self-signed CA. ## Purpose - - This script will always produce a self-signed x509 certificate in the - current path with the IP addresses embedded to x509's SAN. - It will also produce a CA certificate and can be used by other services - which may need to authenticate against this self-signed certificate. - The authentication works in a way that a public CA certificate will be - used by the client in order to validate the server's certificate. + +This script will always produce a self-signed x509 certificate with the IP +addresses embedded to x509's SAN. + +It will also produce a CA certificate and can be used by other services +which may need to authenticate against this self-signed certificate. + +The authentication works in a way that a public CA certificate will be +used by the client in order to validate the server's certificate. ## Application + ### Backend requiring x509 running behind reverse proxy - - This script has been created in order to ease the Minio's SSE-C - (Server Side Encryption - Customer provided keys) enablement when - Minio server is running as a backend behind a reverse proxy like Traefik. - Minio server enables SSE-C only when it detects the x509 certificates. - Traefik running with docker service provider talks to the backend using - the IP. The IP usually is not static, hence this script comes handy. + +This script has been created in order to ease the Minio's SSE-C +(Server Side Encryption - Customer provided keys) enablement when +Minio server is running as a backend behind a reverse proxy like Traefik. + +Minio server enables SSE-C only when it detects the x509 certificates. + +Traefik running with docker service provider talks to the backend using +the IP. + +Usually, the IP address is not static, hence this script comes handy. ## Example usage + ### Minio server with Traefik example - 1. Replace ``minio server`` command with the following one: - ``cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server /data`` - 2. Copy the CA certificate ``ca.crt`` file to ``/usr/local/share/ca-certificates/`` and - run ``update-ca-certificates`` command which will update - ``/etc/ssl/certs/ca-certificates.crt`` file; - 3. Restart Traefik. +1. Replace ``minio server`` command with the following one: + ``cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server /data`` +2. Copy the CA certificate ``ca.crt`` file to ``/usr/local/share/ca-certificates/`` and + run ``update-ca-certificates`` command which will update + ``/etc/ssl/certs/ca-certificates.crt`` file; +3. Restart Traefik. > With the Step 1. Minio server will get the certificate it needs, hence SSE-C > will be enabled. @@ -46,16 +56,18 @@ self-signed CA. > https://golang.org/src/crypto/x509/root_linux.go ## Script logic - - generate CA certificate if does not find any - - always generate server certificate on startup to ensure all IP addresses - are in x509 SAN - - warn if the CA certificate is about to expire (<30 days till expiration) - - regenerate the CA certificate if it finds it has expired + +- generate CA certificate if does not find any +- always generate server certificate on startup to ensure all IP addresses + are in x509 SAN +- warn if the CA certificate is about to expire (<30 days till expiration) +- regenerate the CA certificate if it finds it has expired ## Notes - - The CA certificate will be valid for 3650 days (10 years) - - The server certifcate will be valid for 365 days (1 year) - - The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures + +- The CA certificate will be valid for 3650 days (10 years) +- The server certifcate will be valid for 365 days (1 year) +- The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures ## Testing