update
This commit is contained in:
parent
5fd26378ef
commit
734c1b3938
49
README.md
49
README.md
@ -1,3 +1,50 @@
|
||||
# gencert
|
||||
|
||||
generates self-signed x509 with CA and IPs in SAN
|
||||
## Purpose
|
||||
- This script will always produce a self-signed x509 certificate in the
|
||||
current path with the IP addresses embedded to x509's SAN.
|
||||
It will also produce a CA certificate and can be used by other services
|
||||
which may need to authenticate against this self-signed certificate.
|
||||
The authentication works in a way that a public CA certificate will be
|
||||
used by the client in order to validate the server's certificate.
|
||||
|
||||
## Application
|
||||
Backend requiring x509 running behind reverse proxy
|
||||
- This script has been created in order to ease the Minio's SSE-C
|
||||
(Server Side Encryption - Customer provided keys) enablement when
|
||||
Minio server is running as a backend behind a reverse proxy like Traefik.
|
||||
Minio server enables SSE-C only when it detects the x509 certificates.
|
||||
Traefik running with docker service provider talks to the backend using
|
||||
the IP. The IP usually is not static, hence this script comes handy.
|
||||
|
||||
## Example usage
|
||||
### Minio server with Traefik example
|
||||
|
||||
1. Replace "minio server" command with the following one:
|
||||
- "cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server"
|
||||
2. Copy the CA certificate "ca.crt" file to "/usr/local/share/ca-certificates/" and
|
||||
run "update-ca-certificates" command which will update
|
||||
"/etc/ssl/certs/ca-certificates.crt" file.
|
||||
3. Restart Traefik.
|
||||
|
||||
> NOTE: Steps 2. and 3. will need to be repeated each time you get a new CA
|
||||
> certificate. Then they can be automated this way:
|
||||
> - Start Traefik with this command:
|
||||
> sh -c "update-ca-certificates && traefik"
|
||||
> while "/usr/local/share/ca-certificates" path is a host mounted
|
||||
> path with the CA certificate produced by this script.
|
||||
> NOTE: I am using Alpine Traefik image, the correct ca certificates path is
|
||||
> "/usr/local/share/ca-certificates/", otherwise one of these
|
||||
> https://golang.org/src/crypto/x509/root_linux.go
|
||||
|
||||
## Script logic
|
||||
- generate CA cert if does not find any.
|
||||
- always generate server cert on startup to ensure all IP addresses are in
|
||||
x509 SAN.
|
||||
- warn if the CA cert about to expire (<30 days till expiration).
|
||||
- regenerate the CA cert if it finds it has expired.
|
||||
|
||||
## Notes
|
||||
- The CA cert will be valid for 3650 days (10 years).
|
||||
- The server cert will be valid for 365 days (1 year).
|
||||
- The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures.
|
||||
|
51
gencert.sh
51
gencert.sh
@ -1,57 +1,10 @@
|
||||
#!/bin/sh
|
||||
# Filename: gencert.sh
|
||||
# Description: generates self-signed x509 with CA and IPs in SAN
|
||||
# Description: This script generates x509 server certificate (with all IPs in
|
||||
# SAN) signed by a self-signed CA.
|
||||
# Version: 0.1 - 30 June 2018
|
||||
# Author: Andrey Arapov <andrey.arapov@nixaid.com>
|
||||
# License: GPLv3
|
||||
#
|
||||
# Purpose
|
||||
# - This script will always produce a self-signed x509 certificate in the
|
||||
# current path with the IP addresses embedded to x509's SAN.
|
||||
# It will also produce a CA certificate and can be used by other services
|
||||
# which may need to authenticate against this self-signed certificate.
|
||||
# The authentication works in a way that a public CA certificate will be
|
||||
# used by the client in order to validate the server's certificate.
|
||||
#
|
||||
# Application
|
||||
# Backend requiring x509 running behind reverse proxy
|
||||
# - This script has been created in order to ease the Minio's SSE-C
|
||||
# (Server Side Encryption - Customer provided keys) enablement when
|
||||
# Minio server is running as a backend behind a reverse proxy like Traefik.
|
||||
# Minio server enables SSE-C only when it detects the x509 certificates.
|
||||
# Traefik running with docker service provider talks to the backend using
|
||||
# the IP. The IP usually is not static, hence this script comes handy.
|
||||
#
|
||||
# Example usage
|
||||
# Minio server with Traefik example
|
||||
# 1. Replace "minio server" command with the following one:
|
||||
# - "cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server"
|
||||
# 2. Copy the CA certificate "ca.crt" file to "/usr/local/share/ca-certificates/" and
|
||||
# run "update-ca-certificates" command which will update
|
||||
# "/etc/ssl/certs/ca-certificates.crt" file.
|
||||
# 3. Restart Traefik.
|
||||
#
|
||||
# NOTE: Steps 2. and 3. will need to be repeated each time you get a new CA
|
||||
# certificate. Then they can be automated this way:
|
||||
# - Start Traefik with this command:
|
||||
# sh -c "update-ca-certificates && traefik"
|
||||
# while "/usr/local/share/ca-certificates" path is a host mounted
|
||||
# path with the CA certificate produced by this script.
|
||||
# NOTE: I am using Alpine Traefik image, the correct ca certificates path is
|
||||
# "/usr/local/share/ca-certificates/", otherwise one of these
|
||||
# https://golang.org/src/crypto/x509/root_linux.go
|
||||
#
|
||||
# Script logic
|
||||
# - generate CA cert if does not find any.
|
||||
# - always generate server cert on startup to ensure all IP addresses are in
|
||||
# x509 SAN.
|
||||
# - warn if the CA cert about to expire (<30 days till expiration).
|
||||
# - regenerate the CA cert if it finds it has expired.
|
||||
#
|
||||
# Notes
|
||||
# - The CA cert will be valid for 3650 days (10 years).
|
||||
# - The server cert will be valid for 365 days (1 year).
|
||||
# - The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures.
|
||||
|
||||
ME=$(printf '%s\n' "${0##*/}")
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user