1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
rollover_*.pem are certificates and a CA used to test rolling over X509 cluster authentication
# Generate the root CA certificate:
openssl genrsa -out rollover_ca.key 4096
openssl req -key rollover_ca.key -new -x509 -days 3650 -out rollover_ca.pem \
-subj '/CN=Kernel Rollover Test CA/OU=Kernel/O=MongoDB\, Inc./L=New York/ST=New York/C=US' \
-addext "keyUsage = critical, digitalSignature, cRLSign, keyCertSign"
cat rollover_ca.pem ca.pem > rollover_ca_merged.pem
cat rollover_ca.key >> rollover_ca.pem
rm rollover_ca.key
# Generate the server key and cert:
openssl genrsa -out rollover_server.key 2048
openssl req -new -key rollover_server.key -days 3650 -out rollover_server.csr \
-subj '/CN=server/OU=Kernel (Rollover)/O=MongoDB\, Inc. (Rollover)/L=New York/ST=New York/C=US/'
# Sign the new server cert and clean up
openssl x509 -req -days 3650 -in rollover_server.csr -CA rollover_ca.pem -CAcreateserial \
-out rollover_server.pem -sha256 -extfile <(printf "subjectAltName=DNS:localhost,DNS:127.0.0.1")
cat rollover_server.key >> rollover_server.pem
rm rollover_server.key
rm rollover_server.csr
rm rollover_ca.srl
---------------------------
client-self-signed.pem represents the same RDN as client.pem, but using itself as a CA:
openssl req -nodes -new -subj '/CN=client/OU=KernelUser/O=MongoDB/L=New York City/ST=New York/C=US' -out css.csr -keyout css.rsa
openssl rsa -in css.rsa -out css.key
openssl x509 -in css.csr -out jstests/libs/client-self-signed.pem -req -signkey client-self-signed.key -days 3650
cat css.key >> jstests/libs/client-self-signed.pem
rm css.{csr,rsa,key}
---------------------------
client-multivalue-rdn.pem represents the same RDN as client.pem, but grouping some elements together:
openssl req -new -nodes -subj '/CN=client+OU=KernelUser+O=MongoDB/L=New York City+ST=New York+C=US' -multivalue-rdn \
-keyout client-multivalue-rdn.key -out client-multivalue-rdn.csr
openssl rsa -in client-multivalue-rdn.key -out client-multivalue-rdn.rsa
openssl x509 -in client-multivalue-rdn.csr -out client-multivalue-rdn.pem -req -CA ca.pem -days 3650 -CAcreateserial
cat client-multivalue-rdn.rsa >> client-multivalue-rdn.pem
rm ca.srl client-multivalue-rdn.key client-multivalue-rdn.rsa client-multivalue-rdn.csr
---------------------------
ecdsa-*.pem are ECDSA signed certificates:
generate an ec-key (from a well known curve)
openssl ecparam -name prime256v1 -genkey -out mykey.key
create certificate request
openssl req -new -key mykey.key -out mycsr.csr
sign key and generate certificate
openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256
to include SANs in the certificate, instead run
openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256 -extfile <(printf "subjectAltName=DNS:localhost,DNS:127.0.0.1")
combine key and certificate
cat mycrt.crt mykey.key > mycrt.pem
---------------------------
How to generate a certificate with a custom extension:
1. Generate a normal certificate signing request without an extension
2. Make a copy of the system openssl.cnf and append this text to the file
On Redhat/Fedora, openssl.cnf is in /etc/pki/tls
See jstests\libs\mongodbauthorizationgrant.cnf for how to generate the text with the
'openssl asn1parse' command.
[MongoDBAuthorizationGrant]
1.3.6.1.4.1.34601.2.1.1 = DER:312B300F0C066261636B75700C0561646D696E30180C0F72656164416E7944617461626173650C0561646D696E
3. Sign the certificate and add the custom extension
4. Make a new pem with the certificate and key
Example Commands
----------------
openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr
Example with subject name:
openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=KernelUser/CN=client/emailAddress=example@mongodb.com"
openssl x509 -req -sha256 -in roles.csr -days 3650 -out roles.pem -extfile openssl.cnf -extensions MongoDBAuthorizationGrant -CA jstests/libs/ca.pem -CAcreateserial
openssl rsa -in roles.key -out roles2.key
cat roles.pem roles2.key > roles_final.pem
Example Commands for UTF-8
--------------------------
openssl req -new -utf8 -nameopt multiline,utf8 -config .\jstests\libs\client_utf8.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr
Generating other certificates
-----------------------------
The openssl_configs directory contains the openssl config files to create/sign certificates from the
test CA. There is one config file per certificate. As an example, to generate server.pem:
Reset the CA state with fresh directories and a new serial
$ mkdir ca_state
$ echo '01' > ca_state/serial
$ touch ca_state/index.txt
Create the CSR for the server certificate from its config (this will also generate server.key)
$ openssl req -new -config openssl_config/server.cnf -out server.csr
Sign the certificate with the CA (this will update ca_state and output the certificate as server.pem)
$ openssl ca -config openssl_config/ca.cnf -out server.pem -in server.csr
Concatenate the server key into the certificate you just generated
$ cat server.key >> server.pem
Clean up - we don't keep the ca_state around
$ rm -rf ca_state server.key server.csr
Generating CRLs
---------------
Issue your certificate using the ca config above and then revoke it/create a CRL file:
Reset the CA state with fresh directories and a new serial
$ mkdir ca_state
$ echo '01' > ca_state/serial
$ touch ca_state/index.txt
Create the CSR for the server certificate from its config (this will also generate server.key)
$ openssl req -new -config openssl_config/client_revoked.cnf -out client_revoked.csr
Sign the certificate
$ openssl ca -config openssl_config/ca.cnf -out client_revoked.pem -in client_revoked.csr
Revoked the certificate
$ openssl ca -config openssl_config/ca.cnf -revoke client_revoked.pem
Generate the CRL
$ openssl ca -config openssl_config/ca.cnf -gencrl -out crl_client_revoked.pem
Concatenate the revoked certificate
$ cat client_revoked.key >> client_revoked.pem
Clean up
$ rm -rf ca_state client_revoked.key client_revoked.csr
|
