Client certificates

Configure MinIO Sidekick to authenticate to backend servers using client certificates and to verify backend server certificates.

Client certificate authentication

Provide client certificate and key files to authenticate load balancer connections to backends:

sidekick --client-cert /path/to/public.crt --client-key /path/to/private.key \
  --health-path=/ready \
  https://backend1:8000 https://backend2:8000

Sidekick presents the client certificate when establishing connections to backend servers. Backends configured for mutual TLS verify the client certificate before accepting connections.

Server certificate verification

By default, Sidekick verifies backend server certificates against the system certificate authority bundle. Provide a custom CA certificate using --cacert:

sidekick --cacert /path/to/ca.pem \
  --health-path=/ready \
  https://backend1:8000 https://backend2:8000

Sidekick trusts certificates signed by the specified CA when connecting to backends. This allows verification of certificates signed by internal or private certificate authorities.

Disable verification

Disable certificate verification for development or testing using --insecure:

sidekick --insecure \
  --health-path=/ready \
  https://backend1:8000 https://backend2:8000

Do not disable verification in production environments

This option configures Sidekick to accept any server certificate without verification. It should not be used in production environments as it eliminates protection against man-in-the-middle attacks.

Combined configuration

Use both server-side TLS termination and client authentication simultaneously:

sidekick --cert /path/to/server-public.crt --key /path/to/server-private.key \
  --client-cert /path/to/client-public.crt --client-key /path/to/client-private.key \
  --cacert /path/to/ca.pem \
  --health-path=/ready \
  https://backend1:8000 https://backend2:8000

This configuration enables TLS on both client-facing and backend-facing connections with mutual authentication.