storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/docs/tls/README.md (about) 1 # How to secure access to MinIO server with TLS [](https://slack.min.io) 2 3 This guide explains how to configure MinIO Server with TLS certificates on Linux and Windows platforms. 4 5 1. [Install MinIO Server](#install-minio-server) 6 2. [Use an Existing Key and Certificate with MinIO](#use-an-existing-key-and-certificate-with-minio) 7 3. [Generate and use Self-signed Keys and Certificates with MinIO](#generate-use-self-signed-keys-certificates) 8 4. [Install Certificates from Third-party CAs](#install-certificates-from-third-party-cas) 9 10 ## <a name="install-minio-server"></a>1. Install MinIO Server 11 12 Install MinIO Server using the instructions in the [MinIO Quickstart Guide](http://docs.min.io/docs/minio-quickstart-guide). 13 14 ## <a name="use-an-existing-key-and-certificate-with-minio"></a>2. Use an Existing Key and Certificate with MinIO 15 16 This section describes how to use a private key and public certificate that have been obtained from a certificate authority (CA). If these files have not been obtained, skip to [3. Generate Self-signed Certificates](#generate-use-self-signed-keys-certificates) or generate them with [Let's Encrypt](https://letsencrypt.org) using these instructions: [Generate Let's Encrypt certificate using Certbot for MinIO](https://docs.min.io/docs/generate-let-s-encypt-certificate-using-concert-for-minio.html). 17 18 Copy the existing private key and public certificate to the `certs` directory. The default certs directory is: 19 * **Linux:** `${HOME}/.minio/certs` 20 * **Windows:** `%%USERPROFILE%%\.minio\certs` 21 22 **Note:** 23 * Location of custom certs directory can be specified using `--certs-dir` command line option. 24 * Inside the `certs` directory, the private key must by named `private.key` and the public key must be named `public.crt`. 25 * A certificate signed by a CA contains information about the issued identity (e.g. name, expiry, public key) and any intermediate certificates. The root CA is not included. 26 27 ## <a name="generate-use-self-signed-keys-certificates"></a>3. Generate and use Self-signed Keys and Certificates with MinIO 28 29 This section describes how to generate a self-signed certificate using various tools: 30 31 * 3.1 [Use generate_cert.go to Generate a Certificate](#using-go) 32 * 3.2 [Use OpenSSL to Generate a Certificate](#using-open-ssl) 33 * 3.3 [Use OpenSSL (with IP address) to Generate a Certificate](#using-open-ssl-with-ip) 34 * 3.4 [Use GnuTLS (for Windows) to Generate a Certificate](#using-gnu-tls) 35 36 **Note:** 37 * MinIO only supports keys and certificates in PEM format on Linux and Windows. 38 * MinIO doesn't currently support PFX certificates. 39 40 ### <a name="using-go"></a>3.1 Use generate_cert.go to Generate a Certificate 41 42 Download [`generate_cert.go`](https://golang.org/src/crypto/tls/generate_cert.go?m=text). 43 44 `generate_cert.go` is a simple *Go* tool to generate self-signed certificates, and provides SAN certificates with DNS and IP entries: 45 46 ```sh 47 go run generate_cert.go -ca --host "10.10.0.3" 48 ``` 49 50 A response similar to this one should be displayed: 51 52 ``` 53 2018/11/21 10:16:18 wrote cert.pem 54 2018/11/21 10:16:18 wrote key.pem 55 ``` 56 57 Rename `cert.pem` to `public.crt` and `key.pem` to `private.key`. 58 59 ### <a name="using-open-ssl"></a>3.2 Use OpenSSL to Generate a Certificate 60 61 Use one of the following methods to generate a certificate using `openssl`: 62 63 * 3.2.1 [Generate a private key with ECDSA](#generate-private-key-with-ecdsa) 64 * 3.2.2 [Generate a private key with RSA](#generate-private-key-with-rsa) 65 * 3.2.3 [Generate a self-signed certificate](#generate-a-self-signed-certificate) 66 67 #### 3.2.1 <a name="generate-private-key-with-ecdsa"></a>Generate a private key with ECDSA. 68 69 Use the following command to generate a private key with ECDSA: 70 71 ```sh 72 openssl ecparam -genkey -name prime256v1 | openssl ec -out private.key 73 ``` 74 75 A response similar to this one should be displayed: 76 77 ``` 78 read EC key 79 writing EC key 80 ``` 81 82 Alternatively, use the following command to generate a private ECDSA key protected by a password: 83 84 ```sh 85 openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD 86 ``` 87 88 **Note:** NIST curves P-384 and P-521 are not currently supported. 89 90 #### 3.2.2 <a name="generate-private-key-with-rsa"></a>Generate a private key with RSA. 91 92 Use the following command to generate a private key with RSA: 93 94 ```sh 95 openssl genrsa -out private.key 2048 96 ``` 97 A response similar to this one should be displayed: 98 99 ``` 100 Generating RSA private key, 2048 bit long modulus 101 ............................................+++ 102 ...........+++ 103 e is 65537 (0x10001) 104 ``` 105 106 Alternatively, use the following command to generate a private RSA key protected by a password: 107 108 ```sh 109 openssl genrsa -aes256 -passout pass:PASSWORD -out private.key 2048 110 ``` 111 112 **Note:** When using a password-protected private key, the password must be provided through the environment variable `MINIO_CERT_PASSWD` using the following command: 113 114 ```sh 115 export MINIO_CERT_PASSWD=<PASSWORD> 116 ``` 117 118 The default OpenSSL format for private encrypted keys is PKCS-8, but MinIO only supports PKCS-1. An RSA key that has been formatted with PKCS-8 can be converted to PKCS-1 using the following command: 119 120 ```sh 121 openssl rsa -in private-pkcs8-key.key -aes256 -passout pass:PASSWORD -out private.key 122 ``` 123 124 #### <a name="generate-a-self-signed-certificate"></a>3.2.3 Generate a self-signed certificate. 125 126 Create a file named `openssl.conf` with the content below. Set `IP.1` and/or `DNS.1` to point to the correct IP/DNS addresses: 127 128 ```sh 129 [req] 130 distinguished_name = req_distinguished_name 131 x509_extensions = v3_req 132 prompt = no 133 134 [req_distinguished_name] 135 C = US 136 ST = VA 137 L = Somewhere 138 O = MyOrg 139 OU = MyOU 140 CN = MyServerName 141 142 [v3_req] 143 subjectAltName = @alt_names 144 145 [alt_names] 146 IP.1 = 127.0.0.1 147 DNS.1 = localhost 148 ``` 149 150 Run `openssl` by specifying the configuration file and enter a passphrase if prompted: 151 152 ```sh 153 openssl req -new -x509 -nodes -days 730 -key private.key -out public.crt -config openssl.conf 154 ``` 155 156 ### <a name="using-gnu-tls"></a>3.3 Use GnuTLS (for Windows) to Generate a Certificate 157 158 This section describes how to use GnuTLS on Windows to generate a certificate. 159 160 #### 3.3.1 Install and configure GnuTLS. 161 Download and decompress the Windows version of GnuTLS from [here](http://www.gnutls.org/download.html). 162 163 Use PowerShell to add the path of the extracted GnuTLS binary to the system path: 164 165 ``` 166 setx path "%path%;C:\Users\MyUser\Downloads\gnutls-3.4.9-w64\bin" 167 ``` 168 169 **Note:** PowerShell may need to be restarted for this change to take effect. 170 171 #### 3.3.2 Generate a private key: 172 Run the following command to generate a private `.key` file: 173 174 ``` 175 certtool.exe --generate-privkey --outfile private.key 176 ``` 177 178 A response similar to this one should be displayed: 179 180 ``` 181 Generating a 3072 bit RSA private key... 182 ``` 183 184 #### 3.3.3 Generate a public certificate: 185 186 Create a file called `cert.cnf` with the content below. This file contains all of the information necessary to generate a certificate using `certtool.exe`: 187 188 ``` 189 # X.509 Certificate options 190 # 191 # DN options 192 193 # The organization of the subject. 194 organization = "Example Inc." 195 196 # The organizational unit of the subject. 197 #unit = "sleeping dept." 198 199 # The state of the certificate owner. 200 state = "Example" 201 202 # The country of the subject. Two letter code. 203 country = "EX" 204 205 # The common name of the certificate owner. 206 cn = "Sally Certowner" 207 208 # In how many days, counting from today, this certificate will expire. 209 expiration_days = 365 210 211 # X.509 v3 extensions 212 213 # DNS name(s) of the server 214 dns_name = "localhost" 215 216 # (Optional) Server IP address 217 ip_address = "127.0.0.1" 218 219 # Whether this certificate will be used for a TLS server 220 tls_www_server 221 ``` 222 223 Run `certtool.exe` and specify the configuration file to generate a certificate: 224 225 ``` 226 certtool.exe --generate-self-signed --load-privkey private.key --template cert.cnf --outfile public.crt 227 ``` 228 229 ## <a name="install-certificates-from-third-party-cas"></a>4. Install Certificates from Third-party CAs 230 231 MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by placing these certificates under one of the following MinIO configuration paths: 232 * **Linux:** `~/.minio/certs/CAs/` 233 * **Windows**: `C:\Users\<Username>\.minio\certs\CAs` 234 235 # Explore Further 236 * [TLS Configuration for MinIO server on Kubernetes](https://github.com/minio/minio/tree/master/docs/tls/kubernetes) 237 * [MinIO Client Complete Guide](https://docs.min.io/docs/minio-client-complete-guide) 238 * [Generate Let's Encrypt Certificate](https://docs.min.io/docs/generate-let-s-encypt-certificate-using-concert-for-minio) 239 * [Setup nginx Proxy with MinIO Server](https://docs.min.io/docs/setup-nginx-proxy-with-minio)