storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/docs/tls/README.md (about)

     1  # How to secure access to MinIO server with TLS [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
     2  
     3  This guide explains how to configure MinIO Server with TLS certificates on Linux and Windows platforms.
     4  
     5  1. [Install MinIO Server](#install-minio-server) 
     6  2. [Use an Existing Key and Certificate with MinIO](#use-an-existing-key-and-certificate-with-minio) 
     7  3. [Generate and use Self-signed Keys and Certificates with MinIO](#generate-use-self-signed-keys-certificates) 
     8  4. [Install Certificates from Third-party CAs](#install-certificates-from-third-party-cas)
     9  
    10  ## <a name="install-minio-server"></a>1. Install MinIO Server
    11  
    12  Install MinIO Server using the instructions in the [MinIO Quickstart Guide](http://docs.min.io/docs/minio-quickstart-guide).
    13  
    14  ## <a name="use-an-existing-key-and-certificate-with-minio"></a>2. Use an Existing Key and Certificate with MinIO 
    15  
    16  This section describes how to use a private key and public certificate that have been obtained from a certificate authority (CA). If these files have not been obtained, skip to [3. Generate Self-signed Certificates](#generate-use-self-signed-keys-certificates) or generate them with [Let's Encrypt](https://letsencrypt.org) using these instructions: [Generate Let's Encrypt certificate using Certbot for MinIO](https://docs.min.io/docs/generate-let-s-encypt-certificate-using-concert-for-minio.html).
    17  
    18  Copy the existing private key and public certificate to the `certs` directory. The default certs directory is:
    19  * **Linux:** `${HOME}/.minio/certs`
    20  * **Windows:** `%%USERPROFILE%%\.minio\certs`
    21  
    22  **Note:**
    23  * Location of custom certs directory can be specified using `--certs-dir` command line option.
    24  * Inside the `certs` directory, the private key must by named `private.key` and the public key must be named `public.crt`.
    25  * A certificate signed by a CA contains information about the issued identity (e.g. name, expiry, public key) and any intermediate certificates. The root CA is not included.
    26  
    27  ## <a name="generate-use-self-signed-keys-certificates"></a>3. Generate and use Self-signed Keys and Certificates with MinIO
    28  
    29  This section describes how to generate a self-signed certificate using various tools:
    30  
    31  * 3.1 [Use generate_cert.go to Generate a Certificate](#using-go) 
    32  * 3.2 [Use OpenSSL to Generate a Certificate](#using-open-ssl) 
    33  * 3.3 [Use OpenSSL (with IP address) to Generate a Certificate](#using-open-ssl-with-ip) 
    34  * 3.4 [Use GnuTLS (for Windows) to Generate a Certificate](#using-gnu-tls) 
    35  
    36  **Note:**
    37  * MinIO only supports keys and certificates in PEM format on Linux and Windows.
    38  * MinIO doesn't currently support PFX certificates.
    39  
    40  ### <a name="using-go"></a>3.1 Use generate_cert.go to Generate a Certificate
    41  
    42  Download [`generate_cert.go`](https://golang.org/src/crypto/tls/generate_cert.go?m=text).
    43  
    44  `generate_cert.go` is a simple *Go* tool to generate self-signed certificates, and provides SAN certificates with DNS and IP entries:
    45  
    46  ```sh
    47  go run generate_cert.go -ca --host "10.10.0.3"
    48  ```
    49  
    50  A response similar to this one should be displayed:
    51  
    52  ```
    53  2018/11/21 10:16:18 wrote cert.pem
    54  2018/11/21 10:16:18 wrote key.pem
    55  ```
    56  
    57  Rename `cert.pem` to `public.crt` and `key.pem` to `private.key`.
    58  
    59  ### <a name="using-open-ssl"></a>3.2 Use OpenSSL to Generate a Certificate
    60  
    61  Use one of the following methods to generate a certificate using `openssl`:
    62  
    63  * 3.2.1 [Generate a private key with ECDSA](#generate-private-key-with-ecdsa) 
    64  * 3.2.2 [Generate a private key with RSA](#generate-private-key-with-rsa)
    65  * 3.2.3 [Generate a self-signed certificate](#generate-a-self-signed-certificate)
    66  
    67  #### 3.2.1 <a name="generate-private-key-with-ecdsa"></a>Generate a private key with ECDSA.
    68  
    69  Use the following command to generate a private key with ECDSA:
    70  
    71  ```sh
    72  openssl ecparam -genkey -name prime256v1 | openssl ec -out private.key
    73  ```
    74  
    75  A response similar to this one should be displayed:
    76  
    77  ```
    78  read EC key
    79  writing EC key
    80  ```
    81  
    82  Alternatively, use the following command to generate a private ECDSA key protected by a password:
    83  
    84  ```sh
    85  openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD
    86  ```
    87  
    88  **Note:** NIST curves P-384 and P-521 are not currently supported.
    89  
    90  #### 3.2.2 <a name="generate-private-key-with-rsa"></a>Generate a private key with RSA.
    91  
    92  Use the following command to generate a private key with RSA:
    93  
    94  ```sh
    95  openssl genrsa -out private.key 2048
    96  ```
    97  A response similar to this one should be displayed:
    98  
    99  ```
   100  Generating RSA private key, 2048 bit long modulus
   101  ............................................+++
   102  ...........+++
   103  e is 65537 (0x10001)
   104  ```
   105  
   106  Alternatively, use the following command to generate a private RSA key protected by a password:
   107  
   108  ```sh
   109  openssl genrsa -aes256 -passout pass:PASSWORD -out private.key 2048
   110  ```
   111  
   112  **Note:** When using a password-protected private key, the password must be provided through the environment variable `MINIO_CERT_PASSWD` using the following command:
   113  
   114  ```sh
   115  export MINIO_CERT_PASSWD=<PASSWORD>
   116  ```
   117  
   118  The default OpenSSL format for private encrypted keys is PKCS-8, but MinIO only supports PKCS-1. An RSA key that has been formatted with PKCS-8 can be converted to PKCS-1 using the following command:
   119  
   120  ```sh
   121  openssl rsa -in private-pkcs8-key.key -aes256 -passout pass:PASSWORD -out private.key
   122  ```
   123  
   124  #### <a name="generate-a-self-signed-certificate"></a>3.2.3 Generate a self-signed certificate.
   125  
   126  Create a file named `openssl.conf` with the content below. Set `IP.1` and/or `DNS.1` to point to the correct IP/DNS addresses:
   127  
   128  ```sh
   129  [req]
   130  distinguished_name = req_distinguished_name
   131  x509_extensions = v3_req
   132  prompt = no
   133  
   134  [req_distinguished_name]
   135  C = US
   136  ST = VA
   137  L = Somewhere
   138  O = MyOrg
   139  OU = MyOU
   140  CN = MyServerName
   141  
   142  [v3_req]
   143  subjectAltName = @alt_names
   144  
   145  [alt_names]
   146  IP.1 = 127.0.0.1
   147  DNS.1 = localhost
   148  ```
   149  
   150  Run `openssl` by specifying the configuration file and enter a passphrase if prompted:
   151  
   152  ```sh
   153  openssl req -new -x509 -nodes -days 730 -key private.key -out public.crt -config openssl.conf
   154  ```
   155  
   156  ### <a name="using-gnu-tls"></a>3.3 Use GnuTLS (for Windows) to Generate a Certificate
   157  
   158  This section describes how to use GnuTLS on Windows to generate a certificate.
   159  
   160  #### 3.3.1 Install and configure GnuTLS.
   161  Download and decompress the Windows version of GnuTLS from [here](http://www.gnutls.org/download.html).
   162  
   163  Use PowerShell to add the path of the extracted GnuTLS binary to the system path:
   164  
   165  ```
   166  setx path "%path%;C:\Users\MyUser\Downloads\gnutls-3.4.9-w64\bin"
   167  ```
   168  
   169  **Note:** PowerShell may need to be restarted for this change to take effect.
   170  
   171  #### 3.3.2 Generate a private key:
   172  Run the following command to generate a private `.key` file:
   173  
   174  ```
   175  certtool.exe --generate-privkey --outfile private.key
   176  ```
   177  
   178  A response similar to this one should be displayed:
   179  
   180  ```
   181  Generating a 3072 bit RSA private key...
   182  ```
   183  
   184  #### 3.3.3 Generate a public certificate:
   185  
   186  Create a file called `cert.cnf` with the content below. This file contains all of the information necessary to generate a certificate using `certtool.exe`:
   187  
   188  ```
   189  # X.509 Certificate options
   190  #
   191  # DN options
   192  
   193  # The organization of the subject.
   194  organization = "Example Inc."
   195  
   196  # The organizational unit of the subject.
   197  #unit = "sleeping dept."
   198  
   199  # The state of the certificate owner.
   200  state = "Example"
   201  
   202  # The country of the subject. Two letter code.
   203  country = "EX"
   204  
   205  # The common name of the certificate owner.
   206  cn = "Sally Certowner"
   207  
   208  # In how many days, counting from today, this certificate will expire.
   209  expiration_days = 365
   210  
   211  # X.509 v3 extensions
   212  
   213  # DNS name(s) of the server
   214  dns_name = "localhost"
   215  
   216  # (Optional) Server IP address
   217  ip_address = "127.0.0.1"
   218  
   219  # Whether this certificate will be used for a TLS server
   220  tls_www_server
   221  ```
   222  
   223  Run `certtool.exe` and specify the configuration file to generate a certificate:
   224  
   225  ```
   226  certtool.exe --generate-self-signed --load-privkey private.key --template cert.cnf --outfile public.crt
   227  ```
   228  
   229  ## <a name="install-certificates-from-third-party-cas"></a>4. Install Certificates from Third-party CAs
   230  
   231  MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by placing these certificates under one of the following MinIO configuration paths:
   232  * **Linux:** `~/.minio/certs/CAs/`
   233  * **Windows**: `C:\Users\<Username>\.minio\certs\CAs`
   234  
   235  # Explore Further
   236  * [TLS Configuration for MinIO server on Kubernetes](https://github.com/minio/minio/tree/master/docs/tls/kubernetes)
   237  * [MinIO Client Complete Guide](https://docs.min.io/docs/minio-client-complete-guide)
   238  * [Generate Let's Encrypt Certificate](https://docs.min.io/docs/generate-let-s-encypt-certificate-using-concert-for-minio)
   239  * [Setup nginx Proxy with MinIO Server](https://docs.min.io/docs/setup-nginx-proxy-with-minio)