updates
This commit is contained in:
parent
d526928348
commit
0eb56966a0
20
README.md
20
README.md
@ -4,23 +4,33 @@ This script generates x509 server certificate (with all IPs in SAN) signed by a
|
|||||||
self-signed CA.
|
self-signed CA.
|
||||||
|
|
||||||
## Purpose
|
## Purpose
|
||||||
- This script will always produce a self-signed x509 certificate in the
|
|
||||||
current path with the IP addresses embedded to x509's SAN.
|
This script will always produce a self-signed x509 certificate with the IP
|
||||||
|
addresses embedded to x509's SAN.
|
||||||
|
|
||||||
It will also produce a CA certificate and can be used by other services
|
It will also produce a CA certificate and can be used by other services
|
||||||
which may need to authenticate against this self-signed certificate.
|
which may need to authenticate against this self-signed certificate.
|
||||||
|
|
||||||
The authentication works in a way that a public CA certificate will be
|
The authentication works in a way that a public CA certificate will be
|
||||||
used by the client in order to validate the server's certificate.
|
used by the client in order to validate the server's certificate.
|
||||||
|
|
||||||
## Application
|
## Application
|
||||||
|
|
||||||
### Backend requiring x509 running behind reverse proxy
|
### Backend requiring x509 running behind reverse proxy
|
||||||
- This script has been created in order to ease the Minio's SSE-C
|
|
||||||
|
This script has been created in order to ease the Minio's SSE-C
|
||||||
(Server Side Encryption - Customer provided keys) enablement when
|
(Server Side Encryption - Customer provided keys) enablement when
|
||||||
Minio server is running as a backend behind a reverse proxy like Traefik.
|
Minio server is running as a backend behind a reverse proxy like Traefik.
|
||||||
|
|
||||||
Minio server enables SSE-C only when it detects the x509 certificates.
|
Minio server enables SSE-C only when it detects the x509 certificates.
|
||||||
|
|
||||||
Traefik running with docker service provider talks to the backend using
|
Traefik running with docker service provider talks to the backend using
|
||||||
the IP. The IP usually is not static, hence this script comes handy.
|
the IP.
|
||||||
|
|
||||||
|
Usually, the IP address is not static, hence this script comes handy.
|
||||||
|
|
||||||
## Example usage
|
## Example usage
|
||||||
|
|
||||||
### Minio server with Traefik example
|
### Minio server with Traefik example
|
||||||
|
|
||||||
1. Replace ``minio server`` command with the following one:
|
1. Replace ``minio server`` command with the following one:
|
||||||
@ -46,6 +56,7 @@ self-signed CA.
|
|||||||
> https://golang.org/src/crypto/x509/root_linux.go
|
> https://golang.org/src/crypto/x509/root_linux.go
|
||||||
|
|
||||||
## Script logic
|
## Script logic
|
||||||
|
|
||||||
- generate CA certificate if does not find any
|
- generate CA certificate if does not find any
|
||||||
- always generate server certificate on startup to ensure all IP addresses
|
- always generate server certificate on startup to ensure all IP addresses
|
||||||
are in x509 SAN
|
are in x509 SAN
|
||||||
@ -53,6 +64,7 @@ self-signed CA.
|
|||||||
- regenerate the CA certificate if it finds it has expired
|
- regenerate the CA certificate if it finds it has expired
|
||||||
|
|
||||||
## Notes
|
## Notes
|
||||||
|
|
||||||
- The CA certificate will be valid for 3650 days (10 years)
|
- The CA certificate will be valid for 3650 days (10 years)
|
||||||
- The server certifcate will be valid for 365 days (1 year)
|
- The server certifcate will be valid for 365 days (1 year)
|
||||||
- The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures
|
- The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures
|
||||||
|
Loading…
Reference in New Issue
Block a user