How to secure access to Minio server with TLS
This document explains how to configure Minio server with TLS certificates on Linux and Windows platforms.
Download Minio server from here
2. Existing certificates
If you have already acquired private keys and public certificates, copy them under
certs directory in your Minio config directory. By default config directory is
%%USERPROFILE%%\.minio\ (based on your operating system). Note that the file should be named as
public.crt for key and certificate respectively.
If the certificate is signed by a certificate authority (CA),
public.crt should be the concatenation of the server's certificate, any intermediates, and the CA's root certificate.
If you're looking to generate CA certificate for Minio using Let's Encrypt, follow the docs here.
3. Generate self-signed certificates
Before generating your self-signed certificate, note that
- Minio supports only key/certificate in PEM format on Linux.
- Minio supports only key/certificate in PEM format on Windows. We don't support PFX certificates currently.
Download generate_cert.go. This is a simple go tool to generate self-signed certificates.
generate_cert.go already provides SAN certificates with DNS and IP entries:
go run generate_cert.go -ca --host "10.10.0.3"
Generate the private key:
openssl genrsa -out private.key 2048
Generate the self-signed certificate:
openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=US/ST=state/L=location/O=organization/CN=domain"
Using OpenSSL (with IP address)
Create a file called
openssl.conf and add the below text in the file. Note that you'll need to change the
IP.1 field to point to correct IP address.
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = Somewhere O = MyOrg OU = MyOU CN = MyServerName [v3_req] subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout private.key -out public.crt -config openssl.conf
Using GnuTLS (for Windows)
Download and decompress the Windows version of GnuTLS from here
Make sure to add extracted GnuTLS binary path to your system path.
setx path "%path%;C:\Users\MyUser\Downloads\gnutls-3.4.9-w64\bin"
You may need to restart your powershell console for this to take affect.
- Run the following command to create
certtool.exe --generate-privkey --outfile private.key
- Create a file
cert.cnfwith all the necessary information to generate a certificate.
# X.509 Certificate options # # DN options # The organization of the subject. organization = "Example Inc." # The organizational unit of the subject. #unit = "sleeping dept." # The state of the certificate owner. state = "Example" # The country of the subject. Two letter code. country = "EX" # The common name of the certificate owner. cn = "Sally Certowner" # In how many days, counting from today, this certificate will expire. expiration_days = 365 # X.509 v3 extensions # DNS name(s) of the server dns_name = "localhost" # (Optional) Server IP address ip_address = "127.0.0.1" # Whether this certificate will be used for a TLS server tls_www_server # Whether this certificate will be used to encrypt data (needed # in TLS RSA ciphersuites). Note that it is preferred to use different # keys for encryption and signing. encryption_key
Generate public certificate
certtool.exe --generate-self-signed --load-privkey private.key --template cert.cnf --outfile public.crt
4. Install third-party CAs
Minio can be configured to connect to other servers, whether Minio nodes or servers like NATs, Redis. If these servers use certificates that are not registered in one of the known certificates authorities, you can make Minio server trust these CAs by dropping these certificates under Minio config path (
~/.minio/certs/CAs/ on Linux or
C:\Users\<Username>\.minio\certs\CAs on Windows).