party CA: ``` kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt ``` The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter: ``` trustedCertsSecret: "minio-trusted-certs" or --set trustedCertsSecret=minio-trusted-certs ``` ### Create buckets after install Install the chart, specifying the buckets you want to create after install: ```bash helm install --set buckets[0].name=bucket1,buckets[0].policy=none,buckets[0].purge=false...

party CA: ``` kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt ``` The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter: ``` trustedCertsSecret: "minio-trusted-certs" or --set trustedCertsSecret=minio-trusted-certs ``` ### Create buckets after install Install the chart, specifying the buckets you want to create after install: ```bash helm install --set buckets[0].name=bucket1,buckets[0].policy=none,buckets[0].purge=false...

  certSecret: ""
  publicCrt: public.crt
  privateKey: private.key

## Trusted Certificates Settings for MinIO. Ref: https://min.io/docs/minio/linux/operations/network-encryption.html#third-party-certificate-authorities
## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret

          // Consuming ServerHello handshake message
          // Consuming server Certificate handshake message
          // Consuming server CertificateStatus handshake message
          // Found trusted certificate
          // Consuming ECDH ServerKeyExchange handshake message
          // Consuming ServerHelloDone handshake message
          // Produced ECDHE ClientKeyExchange handshake message

party CA: ``` kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt ``` The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter: ``` trustedCertsSecret: "minio-trusted-certs" or --set trustedCertsSecret=minio-trusted-certs ``` ### Create buckets after install Install the chart, specifying the buckets you want to create after install: ```bash helm install --set buckets[0].name=bucket1,buckets[0].policy=none,buckets[0].purge=false...

   */
  fun noClientAuth() {
    this.clientAuth = CLIENT_AUTH_NONE
  }

  /**
   * Configure the server to [want client auth][SSLSocket.setWantClientAuth]. If the
   * client presents a certificate that is [trusted][TrustManager] the handshake will
   * proceed normally. The connection will also proceed normally if the client presents no
   * certificate at all! But if the client presents an untrusted certificate the handshake

          listOf(
            "Inaccessible trust store",
            "trustStore is",
            "Reload the trust store",
            "Reload trust certs",
            "Reloaded",
            "adding as trusted certificates",
            "Ignore disabled cipher suite",
            "Ignore unsupported cipher suite",
          ).joinToString(separator = "|"),
        )
        append(").*")
      },
    )

	if err != nil || numEntries < 0 || int(2*numEntries) < int(numEntries) {
		return nil, ErrHeader
	}

	// Parse for all member entries.
	// numEntries is trusted after this since a potential attacker must have
	// committed resources proportional to what this library used.
	if err := feedTokens(2 * numEntries); err != nil {
		return nil, err
	}

* Traefik (that can also handle certificate renewals)
* Caddy (that can also handle certificate renewals)
* Nginx
* HAProxy

## Let's Encrypt

Before Let's Encrypt, these **HTTPS certificates** were sold by trusted third parties.

The process to acquire one of these certificates used to be cumbersome, require quite some paperwork and the certificates were quite expensive.

| `Forwarded`   | For outgoing requests, the original source IP. Note that since we spoof IPs in most cases, this usually is the same as the actual IP seen. For incoming requests, this is used only for traffic from waypoints (which are trusted and cannot spoof IPs) |