Rene Groeschke <******@****.***> 1622539170 +0200

Rene Groeschke <******@****.***> 1622539170 +0200

            .register("copyTestCertificates", ExportElasticsearchBuildResourcesTask.class, (t) -> {
                t.copy("test/ssl/test-client.crt");
                t.copy("test/ssl/test-client.key");
                t.copy("test/ssl/test-client.jks");
                t.copy("test/ssl/test-node.crt");
                t.copy("test/ssl/test-node.key");
                t.copy("test/ssl/test-node.jks");
                t.setOutputDir(keyStoreDir);

        // exclude known binary extensions
        .exclude("**/*.gz")
        .exclude("**/*.ico")
        .exclude("**/*.jar")
        .exclude("**/*.zip")
        .exclude("**/*.jks")
        .exclude("**/*.crt")
        .exclude("**/*.keystore")
        .exclude("**/*.png")
        // vim swap file - included here to stop the build falling over if you happen to have a file open :-|
        .exclude("**/.*.swp");

    /*

        // Create a temporary invalid certificate file
        File invalidCertFile = null;
        try {
            invalidCertFile = File.createTempFile("invalid_cert", ".crt");
            try (FileWriter writer = new FileWriter(invalidCertFile)) {
                writer.write("INVALID CERTIFICATE CONTENT");
            }

Go 1.24 also removed X25519Kyber768Draft00 and the Go 1.23 `tlskyber` setting.

Go 1.24 made [`ParsePKCS1PrivateKey`](/pkg/crypto/x509/#ParsePKCS1PrivateKey)
use and validate the CRT parameters in the encoded private key. This behavior
can be controlled with the `x509rsacrt` setting. Using `x509rsacrt=0` restores
the Go 1.23 behavior.

### Go 1.23

```yaml
    volumes:
      - name: secret-volume
        secret:
          secretName: tls-ssl-minio
          items:
          - key: public.crt
            path: public.crt
          - key: private.key
            path: private.key
          - key: public.crt
            path: CAs/public.crt
```

Note that the `secretName` should be same as the secret name created in previous step. Then add the below section under

4. Import the node certificate in the client's keystore:
   `keytool -import -alias test-node -keystore test-client.jks -storepass keypass -file test-node.crt -noprompt`
5. Export the client's certificate:
   `keytool -export -alias test-client -keystore test-client.jks -storepass keypass -file test-client.crt`
6. Import the client certificate in the node's keystore:

For instance, given that TLS is enabled and you need to add trust for MinIO's own CA and for the CA of a Keycloak server, a Kubernetes secret can be created from the certificate files using `kubectl`:

```
kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt
```

**Note:**

* Location of custom certs directory can be specified using `--certs-dir` command line option.
* Inside the `certs` directory, the private key must by named `private.key` and the public key must be named `public.crt`.
* A certificate signed by a CA contains information about the issued identity (e.g. name, expiry, public key) and any intermediate certificates. The root CA is not included.