OpenSSL – s3 – a specific use case

Posted on May 28, 2024 by Tom Hamilton
Reading Time: 2 minutes

last Updates: 5/28/2024

This document is for a specific use case. Creating a certificate for use with Minio.

This post is dedicated to creating a certificate for use with Minio S3.
This page does not discuss how to install Minio
This page does not discuss how to install OpenSSL
This page does not discuss how to install Easy-RSA.
This page assumes you already have perused and used their resources.

Having made that assumption let’s proceed from there.

Overview:

We are going to do the following.

* Create a request template.
* Create a request
* Fulfil the request with Easy-RSA
* We are going to use the cert with Minio.

Assumptions:

Let’s assume we have a server named s3.sparelab.net with ip 192.168.160.59

PRO TIP: before doing any of this. Make sure that time is correct in your environment. There is nothing worse then installing a certificate that is generated 6 hours in the future.

We will use openssl to create a certificate that even will keep chrome happy.

Step 1: create a request template

Create a file name request.cnf

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no
[ req_distinguished_name ]
countryName                = US               # C -Country Name (2 letter code)
stateOrProvinceName        = Somestate        # ST - State or Province Name (full name)
localityName               = Boomtown         # L - Locality Name (eg, city)
organizationName           = Widgets Inc.     # O - Organization Name (eg, company)
commonName                 = s3.sparelab.net  # CN - Common Name (eg, FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = s3.sparelab.net
IP.1    = 192.168.160.59

Step 2: create the request

openssl req -out request.csr -newkey rsa:2048 -nodes -keyout private.key -config request.cnf
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Now that the request.csr has been created we can import it into rsa. If you were not creating the csr on the Easy-RSA server you will now want to facilitate copying the file over to some convenient directory of your choice. In this case we choice to place the file in /tmp

./easyrsa import-req /tmp/request.csr s3-server
The request has been successfully imported with a short name of: s3-server
You may now use this name to perform signing operations on this request.

Step 3: Now we are ready to fulfill the request and sign it with EasyRSA

./easyrsa sign-req server s3-server

It will tell you were the generate cert is stored at. Take note of this.

Step 4 Install the certs

Copy the s3-server.crt file into it’s storage location of the S3 server (aka /root/minio/certs)

Copy the private.key into certs directory (aka /root/minio/certs)

root@s3:~/.minio/certs# ls -al
total 24
drwx------ 3 root root 4096 May 28 18:10 .
drwx------ 3 root root 4096 May 28 18:10 ..
drwx------ 2 root root 4096 May 15 15:59 CAs
-rw------- 1 root root 1704 May 28 18:09 private.key
-rw-r--r-- 1 root root 4836 May 28 18:08 public.crt
This entry was posted in Certificate, S3. Bookmark the permalink.