### TLS (FTP)

Unlike SFTP server, FTP server is insecure by default. To operate under TLS mode, you need to provide certificates via

```
--ftp="tls-private-key=path/to/private.key" --ftp="tls-public-cert=path/to/public.crt"
```

> NOTE: if MinIO distributed setup is already configured to run under TLS, FTP will automatically use the relevant

If your lambda target expects mTLS client you can enable it per function target as follows
```
MINIO_LAMBDA_WEBHOOK_ENABLE_function=on MINIO_LAMBDA_WEBHOOK_ENDPOINT_function=http://localhost:5000 MINIO_LAMBDA_WEBHOOK_CLIENT_CERT=client.crt MINIO_LAMBDA_WEBHOOK_CLIENT_KEY=client.key minio server /data &
```

## Create a bucket and upload some data

Create a bucket named `functionbucket`
```

    //
    // openssl req \
    //   -x509 \
    //   -md5 \
    //   -nodes \
    //   -days 1 \
    //   -newkey rsa:512 \
    //   -keyout privateKey.key \
    //   -out certificate.crt
    val certificatePem =
      """
      |-----BEGIN CERTIFICATE-----
      |MIIBFzCBwgIJAIVAqagcVN7/MA0GCSqGSIb3DQEBBAUAMBMxETAPBgNVBAMMCGNh
      |c2guYXBwMB4XDTE5MDkwNzAyMjg0NFoXDTE5MDkwODAyMjg0NFowEzERMA8GA1UE

        assertEquals(getViaFactory.threshold(), getViaConstructor.threshold());
    }

    /*
    @Test
    public void test_Get_ssl() throws Exception {
        final String filename = "config/certs/http_ca.crt";
        try (InputStream in = new FileInputStream(filename)) {
            Certificate certificate = CertificateFactory.getInstance("X.509").generateCertificate(in);

		privateKey, err := createTempFile(t, "private.key", testCase.privateKey)
		if err != nil {
			t.Fatalf("Test %d: failed to create tmp private key file: %v", i, err)
		}
		certificate, err := createTempFile(t, "public.crt", testCase.certificate)
		if err != nil {
			os.Remove(privateKey)
			t.Fatalf("Test %d: failed to create tmp certificate file: %v", i, err)
		}

		if testCase.password != "" {

Following is a sample directory structure for MinIO server with TLS certificates.

```sh
$ mc tree --files ~/.minio
/home/user1/.minio
└─ certs
   ├─ CAs
   ├─ private.key
   └─ public.crt
```

You can provide a custom certs directory using `--certs-dir` command line option.

#### Credentials

!= nil { return errors.New("crypto/rsa: invalid prime") } dP, err := bigmod.NewNat().SetBytes(priv.dP, pMinus1) if err != nil { return errors.New("crypto/rsa: invalid CRT exponent") } de := bigmod.NewNat() de.SetUint(uint(priv.pub.E)).ExpandFor(pMinus1) de.Mul(dP, pMinus1) if de.IsOne() != 1 { return errors.New("crypto/rsa: invalid CRT exponent") } qMinus1, err := bigmod.NewModulus(q.Nat().SubOne(q).Bytes(q)) if err != nil { return errors.New("crypto/rsa: invalid prime") } dQ, err := bigmod.NewNat...

!= nil { return errors.New("crypto/rsa: invalid prime") } dP, err := bigmod.NewNat().SetBytes(priv.dP, pMinus1) if err != nil { return errors.New("crypto/rsa: invalid CRT exponent") } de := bigmod.NewNat() de.SetUint(uint(priv.pub.E)).ExpandFor(pMinus1) de.Mul(dP, pMinus1) if de.IsOne() != 1 { return errors.New("crypto/rsa: invalid CRT exponent") } qMinus1, err := bigmod.NewModulus(q.Nat().SubOne(q).Bytes(q)) if err != nil { return errors.New("crypto/rsa: invalid prime") } dQ, err := bigmod.NewNat...

- Kubeadm: during the validation of existing kubeconfig files on disk, handle cases where the "ca.crt" is a bundle and has intermediate certificates. Find a common trust anchor between the "ca.crt" bundle and the CA in the existing kubeconfig on disk instead of treating "ca.crt" as a file containing a single CA. ([#123102](https://github.com/kubernetes/kubernetes/pull/123102), [@astundzia](https://github.com/astundzia))

- Kubeadm: removed the restriction that the `ca.crt` can only contain one certificate. If there is more than one certificate in the `ca.crt` file, kubeadm will pick the first one by default. ([#107327](https://github.com/kubernetes/kubernetes/pull/107327), [@SataQiu](https://github.com/SataQiu))