148 lines
6.0 KiB
Plaintext
148 lines
6.0 KiB
Plaintext
rollover_*.pem are certificates and a CA used to test rolling over X509 cluster authentication
|
|
|
|
# Generate the root CA certificate:
|
|
openssl genrsa -out rollover_ca.key 4096
|
|
openssl req -key rollover_ca.key -new -x509 -days 3650 -out rollover_ca.pem \
|
|
-subj '/CN=Kernel Rollover Test CA/OU=Kernel/O=MongoDB\, Inc./L=New York/ST=New York/C=US' \
|
|
-addext "keyUsage = critical, digitalSignature, cRLSign, keyCertSign"
|
|
|
|
cat rollover_ca.pem ca.pem > rollover_ca_merged.pem
|
|
cat rollover_ca.key >> rollover_ca.pem
|
|
rm rollover_ca.key
|
|
|
|
# Generate the server key and cert:
|
|
openssl genrsa -out rollover_server.key 2048
|
|
openssl req -new -key rollover_server.key -days 3650 -out rollover_server.csr \
|
|
-subj '/CN=server/OU=Kernel (Rollover)/O=MongoDB\, Inc. (Rollover)/L=New York/ST=New York/C=US/'
|
|
|
|
# Sign the new server cert and clean up
|
|
openssl x509 -req -days 3650 -in rollover_server.csr -CA rollover_ca.pem -CAcreateserial \
|
|
-out rollover_server.pem -sha256 -extfile <(printf "subjectAltName=DNS:localhost,DNS:127.0.0.1")
|
|
cat rollover_server.key >> rollover_server.pem
|
|
rm rollover_server.key
|
|
rm rollover_server.csr
|
|
rm rollover_ca.srl
|
|
|
|
---------------------------
|
|
|
|
client-self-signed.pem represents the same RDN as client.pem, but using itself as a CA:
|
|
|
|
openssl req -nodes -new -subj '/CN=client/OU=KernelUser/O=MongoDB/L=New York City/ST=New York/C=US' -out css.csr -keyout css.rsa
|
|
openssl rsa -in css.rsa -out css.key
|
|
openssl x509 -in css.csr -out jstests/libs/client-self-signed.pem -req -signkey client-self-signed.key -days 3650
|
|
cat css.key >> jstests/libs/client-self-signed.pem
|
|
rm css.{csr,rsa,key}
|
|
|
|
---------------------------
|
|
client-multivalue-rdn.pem represents the same RDN as client.pem, but grouping some elements together:
|
|
|
|
openssl req -new -nodes -subj '/CN=client+OU=KernelUser+O=MongoDB/L=New York City+ST=New York+C=US' -multivalue-rdn \
|
|
-keyout client-multivalue-rdn.key -out client-multivalue-rdn.csr
|
|
openssl rsa -in client-multivalue-rdn.key -out client-multivalue-rdn.rsa
|
|
openssl x509 -in client-multivalue-rdn.csr -out client-multivalue-rdn.pem -req -CA ca.pem -days 3650 -CAcreateserial
|
|
cat client-multivalue-rdn.rsa >> client-multivalue-rdn.pem
|
|
rm ca.srl client-multivalue-rdn.key client-multivalue-rdn.rsa client-multivalue-rdn.csr
|
|
|
|
---------------------------
|
|
ecdsa-*.pem are ECDSA signed certificates:
|
|
|
|
generate an ec-key (from a well known curve)
|
|
openssl ecparam -name prime256v1 -genkey -out mykey.key
|
|
|
|
create certificate request
|
|
openssl req -new -key mykey.key -out mycsr.csr
|
|
|
|
sign key and generate certificate
|
|
openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256
|
|
|
|
to include SANs in the certificate, instead run
|
|
openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256 -extfile <(printf "subjectAltName=DNS:localhost,DNS:127.0.0.1")
|
|
|
|
combine key and certificate
|
|
cat mycrt.crt mykey.key > mycrt.pem
|
|
|
|
---------------------------
|
|
How to generate a certificate with a custom extension:
|
|
|
|
1. Generate a normal certificate signing request without an extension
|
|
2. Make a copy of the system openssl.cnf and append this text to the file
|
|
On Redhat/Fedora, openssl.cnf is in /etc/pki/tls
|
|
|
|
See jstests\libs\mongodbauthorizationgrant.cnf for how to generate the text with the
|
|
'openssl asn1parse' command.
|
|
|
|
[MongoDBAuthorizationGrant]
|
|
1.3.6.1.4.1.34601.2.1.1 = DER:312B300F0C066261636B75700C0561646D696E30180C0F72656164416E7944617461626173650C0561646D696E
|
|
|
|
3. Sign the certificate and add the custom extension
|
|
4. Make a new pem with the certificate and key
|
|
|
|
Example Commands
|
|
----------------
|
|
openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr
|
|
|
|
Example with subject name:
|
|
openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=KernelUser/CN=client/emailAddress=example@mongodb.com"
|
|
|
|
openssl x509 -req -sha256 -in roles.csr -days 3650 -out roles.pem -extfile openssl.cnf -extensions MongoDBAuthorizationGrant -CA jstests/libs/ca.pem -CAcreateserial
|
|
|
|
openssl rsa -in roles.key -out roles2.key
|
|
|
|
cat roles.pem roles2.key > roles_final.pem
|
|
|
|
|
|
Example Commands for UTF-8
|
|
--------------------------
|
|
openssl req -new -utf8 -nameopt multiline,utf8 -config .\jstests\libs\client_utf8.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr
|
|
|
|
Generating other certificates
|
|
-----------------------------
|
|
|
|
The openssl_configs directory contains the openssl config files to create/sign certificates from the
|
|
test CA. There is one config file per certificate. As an example, to generate server.pem:
|
|
|
|
Reset the CA state with fresh directories and a new serial
|
|
$ mkdir ca_state
|
|
$ echo '01' > ca_state/serial
|
|
$ touch ca_state/index.txt
|
|
|
|
Create the CSR for the server certificate from its config (this will also generate server.key)
|
|
$ openssl req -new -config openssl_config/server.cnf -out server.csr
|
|
|
|
Sign the certificate with the CA (this will update ca_state and output the certificate as server.pem)
|
|
$ openssl ca -config openssl_config/ca.cnf -out server.pem -in server.csr
|
|
|
|
Concatenate the server key into the certificate you just generated
|
|
$ cat server.key >> server.pem
|
|
|
|
Clean up - we don't keep the ca_state around
|
|
$ rm -rf ca_state server.key server.csr
|
|
|
|
Generating CRLs
|
|
---------------
|
|
|
|
Issue your certificate using the ca config above and then revoke it/create a CRL file:
|
|
|
|
Reset the CA state with fresh directories and a new serial
|
|
$ mkdir ca_state
|
|
$ echo '01' > ca_state/serial
|
|
$ touch ca_state/index.txt
|
|
|
|
Create the CSR for the server certificate from its config (this will also generate server.key)
|
|
$ openssl req -new -config openssl_config/client_revoked.cnf -out client_revoked.csr
|
|
|
|
Sign the certificate
|
|
$ openssl ca -config openssl_config/ca.cnf -out client_revoked.pem -in client_revoked.csr
|
|
|
|
Revoked the certificate
|
|
$ openssl ca -config openssl_config/ca.cnf -revoke client_revoked.pem
|
|
|
|
Generate the CRL
|
|
$ openssl ca -config openssl_config/ca.cnf -gencrl -out crl_client_revoked.pem
|
|
|
|
Concatenate the revoked certificate
|
|
$ cat client_revoked.key >> client_revoked.pem
|
|
|
|
Clean up
|
|
$ rm -rf ca_state client_revoked.key client_revoked.csr
|