updates

README.md

@@ -4,31 +4,41 @@ This script generates x509 server certificate (with all IPs in SAN) signed by a
 self-signed CA.
 
 ## Purpose
-  - This script will always produce a self-signed x509 certificate in the
+
-    current path with the IP addresses embedded to x509's SAN.
+This script will always produce a self-signed x509 certificate with the IP
-    It will also produce a CA certificate and can be used by other services
+addresses embedded to x509's SAN.
-    which may need to authenticate against this self-signed certificate.
+
-    The authentication works in a way that a public CA certificate will be
+It will also produce a CA certificate and can be used by other services
-    used by the client in order to validate the server's certificate.
+which may need to authenticate against this self-signed certificate.
+
+The authentication works in a way that a public CA certificate will be
+used by the client in order to validate the server's certificate.
 
 ## Application
+
 ### Backend requiring x509 running behind reverse proxy
-  - This script has been created in order to ease the Minio's SSE-C
+
-    (Server Side Encryption - Customer provided keys) enablement when
+This script has been created in order to ease the Minio's SSE-C
-    Minio server is running as a backend behind a reverse proxy like Traefik.
+(Server Side Encryption - Customer provided keys) enablement when
-    Minio server enables SSE-C only when it detects the x509 certificates.
+Minio server is running as a backend behind a reverse proxy like Traefik.
-    Traefik running with docker service provider talks to the backend using
+
-    the IP. The IP usually is not static, hence this script comes handy.
+Minio server enables SSE-C only when it detects the x509 certificates.
+
+Traefik running with docker service provider talks to the backend using
+the IP.
+
+Usually, the IP address is not static, hence this script comes handy.
 
 ## Example usage
+
 ### Minio server with Traefik example
 
-  1. Replace ``minio server`` command with the following one:  
+1. Replace ``minio server`` command with the following one:  
-     ``cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server /data``
+   ``cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server /data``
-  2. Copy the CA certificate ``ca.crt`` file to ``/usr/local/share/ca-certificates/`` and
+2. Copy the CA certificate ``ca.crt`` file to ``/usr/local/share/ca-certificates/`` and
-     run ``update-ca-certificates`` command which will update
+   run ``update-ca-certificates`` command which will update
-     ``/etc/ssl/certs/ca-certificates.crt`` file;
+   ``/etc/ssl/certs/ca-certificates.crt`` file;
-  3. Restart Traefik.
+3. Restart Traefik.
 
 > With the Step 1. Minio server will get the certificate it needs, hence SSE-C
 > will be enabled.
@@ -46,16 +56,18 @@ self-signed CA.
 > https://golang.org/src/crypto/x509/root_linux.go
 
 ## Script logic
-  - generate CA certificate if does not find any
+
-  - always generate server certificate on startup to ensure all IP addresses
+- generate CA certificate if does not find any
-    are in x509 SAN
+- always generate server certificate on startup to ensure all IP addresses
-  - warn if the CA certificate is about to expire (<30 days till expiration)
+  are in x509 SAN
-  - regenerate the CA certificate if it finds it has expired
+- warn if the CA certificate is about to expire (<30 days till expiration)
+- regenerate the CA certificate if it finds it has expired
 
 ## Notes
-  - The CA certificate will be valid for 3650 days (10 years)
+
-  - The server certifcate will be valid for 365 days (1 year)
+- The CA certificate will be valid for 3650 days (10 years)
-  - The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures
+- The server certifcate will be valid for 365 days (1 year)
+- The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures
 
 ## Testing