服务端证书生成
openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -subj "/CN=*.*.*.*" -days 365 -out ca.crt openssl genrsa -out server.key 2048 openssl req -new -nodes -key server.key -subj "/CN=*.*.*.*" -out server.csr # 服务端证书生成时,需要设置subjectAltName = IP:172.20.20.203 echo subjectAltName = IP:172.20.20.203 > extfile.cnf openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out server.crt -days 3650
从key导出pem公钥和私钥:
私钥:openssl rsa -in demo.key -out private.pem 公钥:openssl rsa -in demo.key -pubout -out public.pem
客户端连接配置
endpoint := "192.168.77.114:9091"
user := "minioadmin"
pass := "minioadmin"
ca := `-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----`
k := `-----BEGIN RSA PRIVATE KEY-----
xxx
-----END RSA PRIVATE KEY-----`
c := `-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----`
pool := x509.NewCertPool()
pool.AppendCertsFromPEM([]byte(ca))
var cliCrt tls.Certificate // 具体的证书加载对象
cliCrt, err := tls.X509KeyPair([]byte(c), []byte(k))
if err != nil {
log.Fatalln(err)
}
minioClient, err := minio.New(endpoint, &minio.Options{
Creds: credentials.NewStaticV4(user, pass, ""),
Secure: true,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: pool,
Certificates: []tls.Certificate{cliCrt},
},
},
})
if err != nil {
log.Fatal(err)
}
if err := minioClient.MakeBucket(context.Background(), "demo", minio.MakeBucketOptions{}); err != nil {
log.Fatal(err)
}
fmt.Println(minioClient)