-
Notifications
You must be signed in to change notification settings - Fork 0
faq007_ssl certificates
Disclaimer: Here, we show how to create self-signed SSL certificates, which have some issues (see, for a start, https://en.wikipedia.org/wiki/Self-signed_certificate). You might want to use SSL certificates that were signed by an official Certificate Authority.
The commands below are valid for bash terminals and should work for linux servers and macOS.
For this, we generate a private 2048 bit key:
openssl genrsa -out CA_private.key 2048You should see something like this:
Generating RSA private key, 2048 bit long modulus
........+++++
...........+++++Next, we sign this key:
openssl req -x509 -new -nodes -key CA_private.key -sha256 -days 1024 -out CA_public.pemThe option -days is used to specify how long the certificate will be valid. We are choosing 1024 days here. When you press enter, you will be asked to answer some questions. You can answer these as you see fit.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:The command creates a file called CA_public.pem, which contains the public server certificate.
Again, we generate a private 2048 bit key:
openssl genrsa -out mongodb_private.key 2048Next, we create a so-called signing request:
openssl req -new -key mongodb_private.key -out mongodb_request.csr Again, When you press enter, you will be asked to answer some questions. Attention: The option Common Name is important this time. You need to fill this field with the excact adress of your mongodb instance. If you have not domain name for the server, pick an arbitrary name here again and just continue to follow the steps.
You will also be asked for a challenge password. Explanation taken from this thread at StackOverflow:
The challenge password is basically a shared-secret once between you and the SSL certificate-issuer (aka Certification Authority, or CA), embedded in the CSR, which the issuer may use to authenticate you should that ever be needed. Should you choose to enter and use a challenge password, you will need to make sure that you save that password in a secure place. If you ever need to reinstall your certificate for any reason, you will be required to enter that password.
For self-signed certificates, you can probably leave the field blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:Now, we use the public server key from above to sign this certificate. Again, we choose to make it valid for an arbitrary number of 1024 days.
If you specified your domain name in the previous command under "Common Name":
openssl x509 -req -in mongodb_request.csr -CA CA_public.pem -CAkey CA_private.key -CAcreateserial -out mongodb_public.crt -days 1024 -sha256The resulting file mongodb_public.crt is our public client certificate.
If you want to use an IP adress:
- Open the file
openssl.cnf(probably located at/etc/ssl/openssl.cnf, if you use a linux server). (For example, for opening as sudo with the editor vim:sudo vim /etc/ssl/openssl.cnf) - Scroll down to the section
[ v3_ca ] - Add the line
subjectAltName = IP:10.0.0.10, substituting10.0.0.10for your actual IP adress. - Save the changes
Now, we use the public server key from above to sign this certificate. Again, we choose to make it valid for an arbitrary number of 1024 days. The options -extfile openssl.cnf and -extensions v3_ca are used to incorporate the IP adress into the signed certificate.
openssl x509 -req -in mongodb_request.csr -CA CA_public.pem -CAkey CA_private.key -CAcreateserial -out mongodb_public.crt -days 1024 -sha256 -extfile openssl.cnf -extensions v3_caThe resulting file mongodb_public.crt is our public client certificate.
We combine the private and public key for clients in one file (this is the file that you enter in your MongoDB config, for example):
cat mongodb_private.key mongodb_public.crt > mongodb_client_keypair.pemIf you have trouble with permissions while writing this file, you can use the command below to run it as sudo.
sudo bash -c 'cat mongodb_private.key mongodb_public.crt > mongodb_client_keypair.pem'If you have trouble getting your code to work, you can contact our support via [email protected]. Please make sure to test your code diligently before asking for help.