S3 Compatible Storage
How to automatically deploy SSL certificates to any S3-compatible object storage bucket.
Overview
AutoSSL can automatically upload SSL certificate files to any S3-compatible object storage bucket. You provide a custom HTTPS endpoint and bucket name, making this provider suitable for MinIO, Wasabi, Ceph, and other S3-compatible services not covered by a dedicated provider.
Each certificate is archived under a versioned archive path and also updated under a latest/ path for easy discovery by downstream consumers (e.g., Nginx, Caddy, or custom scripts that pull certificates from object storage).
For instructions on how to manage and run this deployment, please refer to the Deployment Management section.
Configuration Parameters
When you add or edit this deployment target in the AutoSSL console, you will need to configure the following parameters:
| Parameter | Description | Example |
|---|---|---|
| Endpoint | The HTTPS URL of the S3-compatible API. HTTP endpoints are not supported. | https://minio.example.com |
| Region | (Optional) Region used for request signing. Defaults to us-east-1. Use the value required by your provider. | us-east-1 |
| Bucket Name | The name of the bucket to upload certificate files to. | my-ssl-certs |
| Object Key Prefix | (Optional) A prefix for organizing certificate files in the bucket. If set, files will be uploaded under this prefix. Trailing slash is optional. | certs/example.com/ |
| Force Path Style | (Optional) Enable path-style URLs (https://endpoint/bucket/key). Enable this for MinIO and some self-hosted S3-compatible services. | true (for MinIO) |
The endpoint must use HTTPS. AutoSSL will reject HTTP endpoints for security reasons.
How it Works
When AutoSSL deploys a certificate to an S3-compatible bucket (e.g., my-ssl-certs with prefix certs/example.com/), it performs the following steps:
-
Certificate Preparation:
- Splits the full certificate chain into individual PEM files:
cert.pem(leaf certificate),privkey.pem(private key, PKCS#8 encoded),chain.pem(intermediate chain), andfullchain.pem(full chain). - Generates a
README.mdfile with certificate metadata and a link to https://autossl.dev for traceability. - Parses the certificate
notBeforedate and SHA1 fingerprint to generate an archive directory name (format:YYYY-MM-DD_<first 8 chars of SHA1>).
- Splits the full certificate chain into individual PEM files:
-
File Upload:
- Uploads certificate files (four PEM files and README.md) to two paths in the bucket:
- Archive path —
certs/example.com/2026-05-30_e5f6a7b8/cert.pem(andprivkey.pem,chain.pem,fullchain.pem,README.md). This path is unique per certificate issuance and is never overwritten. - Latest path —
certs/example.com/latest/cert.pem(andprivkey.pem,chain.pem,fullchain.pem,README.md). This path always reflects the most recently uploaded certificate.
- Archive path —
- Uploads certificate files (four PEM files and README.md) to two paths in the bucket:
The latest/ path allows downstream services to always fetch the current
certificate from a fixed object key. Historical certificates remain
accessible under their versioned archive directories.
Example Bucket Structure
After multiple certificate renewals, your bucket structure will look like this:
certs/example.com/
├── 2026-03-01_a1b2c3d4/
│ ├── cert.pem
│ ├── privkey.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ └── README.md
├── 2026-05-30_e5f6a7b8/
│ ├── cert.pem
│ ├── privkey.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ └── README.md
└── latest/
├── cert.pem
├── privkey.pem
├── chain.pem
├── fullchain.pem
└── README.mdPrivate Key Format
privkey.pem is encoded in PKCS#8 format (-----BEGIN PRIVATE KEY-----). This format is widely supported by modern web servers and tools (Nginx, Caddy, Traefik, OpenSSL 1.1+, etc.).
If your environment requires PKCS#1 format (e.g. -----BEGIN RSA PRIVATE KEY----- for RSA keys), convert it locally before use:
openssl rsa -in privkey.pem -out privkey-pkcs1.pemAccess Key Requirement
This provider requires S3 Compatible Storage credentials.
Required Permissions
The access key must have permission to upload objects to the target bucket. At minimum, the following S3 action is required:
s3:PutObjecton the target bucket (or bucket prefix)
For MinIO, grant the user a policy that allows s3:PutObject on the target bucket.
Troubleshooting
| Symptom | Possible Fix |
|---|---|
| Connection refused or DNS error | Verify the endpoint URL is correct and reachable from AutoSSL. |
| Access denied | Check that the access key has PutObject permission on the bucket. |
| Signature mismatch | Try a different Region value as required by your provider. |
| Bucket not found with custom endpoint | Enable Force Path Style (common for MinIO). |