As MinIO needs the CN to have the policy name and original mkcert
does not support this, download updated mkcert
from https://github.com/kanagarajkm/mkcert/releases/download/v1.4.3-1/mkcert
- Generate certificate files
mkcert localhost
- Copy generated
localhost-key.pem
andlocalhost.pem
tocerts
directory of minio server.
cp -avi localhost-key.pem ~/.minio/certs/private.key
cp -avi localhost.pem ~/.minio/certs/public.crt
- Restart or start minio server with environment variable
MINIO_IDENTITY_TLS_ENABLE=on
.
- Generate client certificate. Here
client1
is the CN
mkcert -client client1
- Rename generated certificate files.
mv -vi client1-key.pem client1.key
mv -vi client1.pem client1.crt
- Copy certificate files to
certs/CAs
directory of minio server.
cp -avi client1.key ~/.minio/certs/CAs/client1.key
cp -avi client1.crt ~/.minio/certs/CAs/client1.crt
- Restart minio server with environment variable
MINIO_IDENTITY_TLS_ENABLE=on
.
- Create a new policy JSON into
client1-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
- Add the policy to
client1
mc admin policy add myminio client1 client1-policy.json --insecure
curl -X POST --key client1.key --cert client1.crt "https://minio:9000?Action=AssumeRoleWithCertificate&Version=2011-06-15&DurationSeconds=3600" -k