-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Server
-
Labels:None
We usually don’t provide full OpenSSL certificate creation or sign steps as this is an off topic that is usually addressed by the security administrator in each organisation. However, due the large amount of issues and support tickets in relation to this topic which can be easily resolved by following a correct procedure, I would like to see the following procedure available in the official documentation.
As everyone knows, any x.509 certificate should meet the standards and recommendations. One of the relevant things to consider is the certificate purpose (please take a look at the extended key usage section from the RFC 5280 for clarification).
Please find the following configuration and commands as an example of the correct OpenSSL steps to create a valid certificate.
OpenSSL configuration
# For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 4096 default_keyfile = server-key.pem default_md = sha1 distinguished_name = req_dn req_extensions = v3_req x509_extensions = v3_ca # The extentions to add to the self signed cert [ v3_req ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment nsComment = "OpenSSL Generated Certificate" extendedKeyUsage = serverAuth, clientAuth [ req_dn ] countryName = Country Name (2 letter code) countryName_default = IE countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Dublin stateOrProvinceName_max = 64 localityName = Locality Name (eg, city) localityName_default = Dublin localityName_max = 64 organizationName = Organization Name (eg, company) organizationName_default = MongoDB organizationName_max = 64 organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Support organizationalUnitName_max = 64 commonName = Common Name (eg, YOUR name) commonName_max = 64 [ v3_ca ] # Extensions for a typical CA subjectKeyIdentifier=hash basicConstraints = critical,CA:true authorityKeyIdentifier=keyid:always,issuer:always # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. keyUsage = critical,keyCertSign,cRLSign
Authority creation
openssl genrsa -out mongodb-ca.key 4096 openssl req -new -x509 -days 1826 -key mongodb-ca.key -out mongodb-ca.crt -config openssl.cnf
Intermediate authority creation
It is optional to have an intermediate authority for signing the server certificates. However, it is a good practice in terms of security and certificate management.
openssl genrsa -out mongodb-ia.key 4096
openssl req -new -key mongodb-ia.key -out mongodb-ia.csr -config openssl.cnf
openssl x509 -req -days 730 -in mongodb-ia.csr -CA mongodb-ca.crt -CAkey mongodb-ca.key -set_serial 01 -out mongodb-ia.crt -extfile openssl.cnf -extensions v3_ca
Final CA PEM file
cat mongodb-ca.crt > mongodb-ca.pem cat mongodb-ia.crt >> mongodb-ca.pem
Server certificate creation
After modifying or copying the OpenSSL configuration file, the following should be added to the v3_req section. Please note that this needs to be done for each of the servers.
[ v3_req ] ... subjectAltName = @alt_names [ alt_names ] DNS.1 = server1.mongodb.com DNS.2 = server1 DNS.3 = ip-192-168-44-31
The DNS names should match the server names. According to RFC 6125, hostname verification should be done against the certificate’s subjectAlternativeName’s dNSName field and not the CN (please take a look at https://tools.ietf.org/html/rfc6125#section-1.5).
openssl genrsa -out mongodb-server1.mongodb.com.key 4096
openssl req -new -key mongodb-server1.mongodb.com.key -out mongodb-server1.mongodb.com.csr -config openssl.cnf
openssl x509 -req -days 365 -in mongodb-server1.mongodb.com.csr -CA mongodb-ia.crt -CAkey mongodb-ia.key -CAcreateserial -out mongodb-server1.mongodb.com.crt -extfile openssl.cnf -extensions v3_req
Server PEM file (certificate and key) creation
cat mongodb-server1.mongodb.com.crt > mongodb-server1.mongodb.com.pem cat mongodb-server1.mongodb.com.key >> mongodb-server1.mongodb.com.pem
The same procedure can be used to create a client certificate. The following is an example of the x.509 fields from the server certificate.
Certificate: Data: Version: 3 (0x2) Serial Number: 18362953150530396348 (0xfed650996c8120bc) Signature Algorithm: sha256WithRSAEncryption Issuer: C=IE, ST=Dublin, L=Dublin, O=MongoDB, OU=Support, CN=MongoDB Support IA Validity Not Before: Dec 31 08:18:33 2015 GMT Not After : Dec 31 08:18:33 2016 GMT Subject: C=IE, ST=Dublin, L=Dublin, O=MongoDB, OU=Support, CN=mongodb-server1.mongodb.com ... X509v3 extensions: X509v3 Subject Key Identifier: E1:61:F7:BB:47:03:B3:1D:7A:CB:28:6A:01:80:4C:ED:DE:38:E8:28 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:server1.mongodb.com, DNS:server1, DNS:ip-192-168-44-31 ...
This kind of certificates should work well.
- is related to
-
DOCS-6351 Be more explicit in the type of certificate required for ssl certificates
- Closed
-
DOCS-6352 Specify structure of SSL certificate
- Closed
-
DOCS-9180 Document required CN / subjectAltName configuration for TLS certificates
- Closed
-
DOCS-4436 Add a section to the docs showing how to create a keystore
- Closed
-
DOCS-10776 MongoDB server SSL certificate and extendedKeyUsage
- Closed