mirror of
https://github.com/mongodb/mongo.git
synced 2024-12-01 09:32:32 +01:00
client-self-signed.pem represents the same RDN as client.pem, but using itself as a CA:
openssl req -nodes -new -subj '/CN=client/OU=KernelUser/O=MongoDB/L=New York City/ST=New York/C=US' -out css.csr -keyout css.rsa
openssl rsa -in css.rsa -out css.key
openssl x509 -in css.csr -out jstests/libs/client-self-signed.pem -req -signkey client-self-signed.key -days 3650
cat css.key >> jstests/libs/client-self-signed.pem
rm css.{csr,rsa,key}
---------------------------
client-multivalue-rdn.pem represents the same RDN as client.pem, but grouping some elements together:
openssl req -new -nodes -subj '/CN=client+OU=KernelUser+O=MongoDB/L=New York City+ST=New York+C=US' -multivalue-rdn \
-keyout client-multivalue-rdn.key -out client-multivalue-rdn.csr
openssl rsa -in client-multivalue-rdn.key -out client-multivalue-rdn.rsa
openssl x509 -in client-multivalue-rdn.csr -out client-multivalue-rdn.pem -req -CA ca.pem -days 3650 -CAcreateserial
cat client-multivalue-rdn.rsa >> client-multivalue-rdn.pem
rm ca.srl client-multivalue-rdn.key client-multivalue-rdn.rsa client-multivalue-rdn.csr
---------------------------
ecdsa-*.pem are ECDSA signed certificates:
generate an ec-key (from a well known curve)
openssl ecparam -name prime256v1 -genkey -out mykey.key
create certificate request
openssl req -new -key mykey.key -out mycsr.csr
sign key and generate certificate
openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256
to include SANs in the certificate, instead run
openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256 -extfile <(printf "subjectAltName=DNS:localhost,DNS:127.0.0.1")
combine key and certificate
cat mycrt.crt mykey.key > mycrt.pem
---------------------------
The other ceriticates in this directory come from x509gen.
How to generate a certificate with a custom extension:
1. Generate a normal certificate signing request without an extension
2. Make a copy of the system openssl.cnf and append this text to the file
On Redhat/Fedora, openssl.cnf is in /etc/pki/tls
See jstests\libs\mongodbauthorizationgrant.cnf for how to generate the text with the
'openssl asn1parse' command.
[MongoDBAuthorizationGrant]
1.3.6.1.4.1.34601.2.1.1 = DER:312B300F0C066261636B75700C0561646D696E30180C0F72656164416E7944617461626173650C0561646D696E
3. Sign the certificate and add the custom extension
4. Make a new pem with the certificate and key
Example Commands
----------------
openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr
Example with subject name:
openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=KernelUser/CN=client/emailAddress=example@mongodb.com"
openssl x509 -req -sha256 -in roles.csr -days 3650 -out roles.pem -extfile openssl.cnf -extensions MongoDBAuthorizationGrant -CA jstests/libs/ca.pem -CAcreateserial
openssl rsa -in roles.key -out roles2.key
cat roles.pem roles2.key > roles_final.pem
Example Commands for UTF-8
--------------------------
openssl req -new -utf8 -nameopt multiline,utf8 -config .\jstests\libs\client_utf8.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr