arno/gencert
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Andy 2018-06-30 21:40:36 +02:00
parent d526928348
commit 0eb56966a0
Signed by: arno
GPG Key ID: 9076D5E6B31AE99C
1 changed files with 38 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -4,23 +4,33 @@ This script generates x509 server certificate (with all IPs in SAN) signed by a
self-signed CA. self-signed CA.
## Purpose ## Purpose
- This script will always produce a self-signed x509 certificate in the
current path with the IP addresses embedded to x509's SAN. This script will always produce a self-signed x509 certificate with the IP
addresses embedded to x509's SAN.
It will also produce a CA certificate and can be used by other services It will also produce a CA certificate and can be used by other services
which may need to authenticate against this self-signed certificate. which may need to authenticate against this self-signed certificate.
The authentication works in a way that a public CA certificate will be The authentication works in a way that a public CA certificate will be
used by the client in order to validate the server's certificate. used by the client in order to validate the server's certificate.
## Application ## Application
### Backend requiring x509 running behind reverse proxy ### Backend requiring x509 running behind reverse proxy
- This script has been created in order to ease the Minio's SSE-C
This script has been created in order to ease the Minio's SSE-C
(Server Side Encryption - Customer provided keys) enablement when (Server Side Encryption - Customer provided keys) enablement when
Minio server is running as a backend behind a reverse proxy like Traefik. Minio server is running as a backend behind a reverse proxy like Traefik.
Minio server enables SSE-C only when it detects the x509 certificates. Minio server enables SSE-C only when it detects the x509 certificates.
Traefik running with docker service provider talks to the backend using Traefik running with docker service provider talks to the backend using
the IP. The IP usually is not static, hence this script comes handy. the IP.
Usually, the IP address is not static, hence this script comes handy.
## Example usage ## Example usage
### Minio server with Traefik example ### Minio server with Traefik example
1. Replace ``minio server`` command with the following one: 1. Replace ``minio server`` command with the following one:
@ -46,6 +56,7 @@ self-signed CA.
> https://golang.org/src/crypto/x509/root_linux.go > https://golang.org/src/crypto/x509/root_linux.go
## Script logic ## Script logic
- generate CA certificate if does not find any - generate CA certificate if does not find any
- always generate server certificate on startup to ensure all IP addresses - always generate server certificate on startup to ensure all IP addresses
are in x509 SAN are in x509 SAN
@ -53,6 +64,7 @@ self-signed CA.
- regenerate the CA certificate if it finds it has expired - regenerate the CA certificate if it finds it has expired
## Notes ## Notes
- The CA certificate will be valid for 3650 days (10 years) - The CA certificate will be valid for 3650 days (10 years)
- The server certifcate will be valid for 365 days (1 year) - The server certifcate will be valid for 365 days (1 year)
- The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures - The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures