-
Type:
Sub-task
-
Resolution: Done
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: None
-
Labels:
This should be a separate page, linked in the main install flow. Please make sure that it is clear that this is optional.
### Existing certificate already signed by trusted 3rd-party (wildcard or exact domain):
Proceed to “Preparing Your Certificate” section below.
### New certificate and Signing Request for trusted 3rd-party
$ openssl req -new -out mms-ssl.csr -newkey rsa:2048 -keyout mms-ssl.key
[Specify a private key password]
[Complete all certificate fields. Note: the Common Name *must* be the same hostname as your mms.centralUrl]
[Refer to your trusted 3rd-party’s procedure for any content they may require in the ‘extra’ attributes.]
* Submit your new CSR to the trusted 3rd-party so they may return a signed certificate.
Note that this procedure varies by provider. Some trusted 3rd-parties will generate the private key, CSR, and signed certificate for you.
Proceed to “Preparing Your Certificate” section below.
### Self-Signed Certificate
$ openssl req -x509 -days 3650 -newkey rsa:2048 -keyout mms-ssl.key -out mms-ssl.crt
[Specify a private key password]
[Complete all certificate fields. Note: the Common Name *must* be the same hostname as your mms.centralUrl]
#### Preparing Your Certificate
* If the signed certificate is not in PEM format, you may convert it as follows:
$ openssl x509 -in mms-ssl.cer -inform DER -outform PEM -out mms-ssl.crt
* If your 3rd-party uses a certificate chain, concatenate the certificates together to create a unified certificate:
$ cat mms-ssl.crt [intermediate-3rdparty-ca-cert.crt] 3rdparty-root-ca-cert.crt > mms-ssl-unified.crt
#### Creating Your Java Keystore
* Combine your private key and signed certificate (or certificate chain) into a PKCS12-formatted keystore:
$ openssl pkcs12 -inkey mms-ssl.key -in mms-ssl-unified.crt -export -out mms-ssl.pkcs12
[Provide your private key password]
[Specify a new password for the exported PKCS12 keystore]
* Convert the PKCS12 keystore into a Java Keystore:
$ [mms-install-dir]/jdk/bin/keytool -importkeystore -srckeystore mms-ssl.pkcs12 -srcstoretype PKCS12 -destkeystore mms-keystore.jks
E.g.,
$ [mms-install-dir]/jdk/bin/keytool -importkeystore -srckeystore mms-ssl.pkcs12 -srcstoretype PKCS12 -destkeystore mms-keystore.jks
[Specify new password for the Java keystore. Can be same as PKCS12 keystore password since after this step mms-ssl.pkcs12 can be deleted.]
[Provide PKCS12 keystore password]
#### Configuring MMS for Java keystore
$ sudo cp -a mms-keystore.jks /etc/mongodb-mms/
$ sudo chown mongodb-mms:root /etc/mongodb-mms/mms-keystore.jks
$ sudo chmod 600 /etc/mongodb-mms/mms-keystore.jks
$ [mms-install-dir]/bin/credentialstool --username keystore --password
Enter Password: [keystore-password]
Generating credentials pair...
Your encrypted credentials pair:
Username: abcdef1234567890-76d41ae0a98c
Password: abcdef1234567890-2cc28e525d1f543464
* Edit your mms.conf to specify the path to your keystore and the encrypted keystore password:
$ sudo vi [mms-install-dir]/conf/mms.conf
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslEnabled=true"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=abcdef1234567890-2cc28e525d1f543464"
* Edit your conf-mms.properties file to specify the https protocol and SSL port 8443 on mms.centralUrl:
mms.centralUrl=https://mms.acmewidgets.com:8443
* Start up the MMS server and visit your mms.centralUrl
$ sudo /etc/init.d/mongodb-mms start
* Browse to https://mms.acmewidgets.com:8443