### Existing certificate already signed by trusted 3rd-party (wildcard or exact domain):
|
|
Proceed to “Preparing Your Certificate” section below.
|
|
### New certificate and Signing Request for trusted 3rd-party
|
|
$ openssl req -new -out mms-ssl.csr -newkey rsa:2048 -keyout mms-ssl.key
|
[Specify a private key password]
|
[Complete all certificate fields. Note: the Common Name *must* be the same hostname as your mms.centralUrl]
|
[Refer to your trusted 3rd-party’s procedure for any content they may require in the ‘extra’ attributes.]
|
|
* Submit your new CSR to the trusted 3rd-party so they may return a signed certificate.
|
Note that this procedure varies by provider. Some trusted 3rd-parties will generate the private key, CSR, and signed certificate for you.
|
|
Proceed to “Preparing Your Certificate” section below.
|
|
### Self-Signed Certificate
|
|
$ openssl req -x509 -days 3650 -newkey rsa:2048 -keyout mms-ssl.key -out mms-ssl.crt
|
[Specify a private key password]
|
[Complete all certificate fields. Note: the Common Name *must* be the same hostname as your mms.centralUrl]
|
|
#### Preparing Your Certificate
|
|
* If the signed certificate is not in PEM format, you may convert it as follows:
|
$ openssl x509 -in mms-ssl.cer -inform DER -outform PEM -out mms-ssl.crt
|
|
* If your 3rd-party uses a certificate chain, concatenate the certificates together to create a unified certificate:
|
$ cat mms-ssl.crt [intermediate-3rdparty-ca-cert.crt] 3rdparty-root-ca-cert.crt > mms-ssl-unified.crt
|
|
#### Creating Your Java Keystore
|
|
* Combine your private key and signed certificate (or certificate chain) into a PKCS12-formatted keystore:
|
$ openssl pkcs12 -inkey mms-ssl.key -in mms-ssl-unified.crt -export -out mms-ssl.pkcs12
|
[Provide your private key password]
|
[Specify a new password for the exported PKCS12 keystore]
|
|
* Convert the PKCS12 keystore into a Java Keystore:
|
$ [mms-install-dir]/jdk/bin/keytool -importkeystore -srckeystore mms-ssl.pkcs12 -srcstoretype PKCS12 -destkeystore mms-keystore.jks
|
E.g.,
|
$ [mms-install-dir]/jdk/bin/keytool -importkeystore -srckeystore mms-ssl.pkcs12 -srcstoretype PKCS12 -destkeystore mms-keystore.jks
|
[Specify new password for the Java keystore. Can be same as PKCS12 keystore password since after this step mms-ssl.pkcs12 can be deleted.]
|
[Provide PKCS12 keystore password]
|
|
#### Configuring MMS for Java keystore
|
|
$ sudo cp -a mms-keystore.jks /etc/mongodb-mms/
|
$ sudo chown mongodb-mms:root /etc/mongodb-mms/mms-keystore.jks
|
$ sudo chmod 600 /etc/mongodb-mms/mms-keystore.jks
|
$ [mms-install-dir]/bin/credentialstool --username keystore --password
|
Enter Password: [keystore-password]
|
|
Generating credentials pair...
|
|
Your encrypted credentials pair:
|
Username: abcdef1234567890-76d41ae0a98c
|
Password: abcdef1234567890-2cc28e525d1f543464
|
|
* Edit your mms.conf to specify the path to your keystore and the encrypted keystore password:
|
$ sudo vi [mms-install-dir]/conf/mms.conf
|
|
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslEnabled=true"
|
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks"
|
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=abcdef1234567890-2cc28e525d1f543464"
|
|
* Edit your conf-mms.properties file to specify the https protocol and SSL port 8443 on mms.centralUrl:
|
mms.centralUrl=https://mms.acmewidgets.com:8443
|
|
* Start up the MMS server and visit your mms.centralUrl
|
$ sudo /etc/init.d/mongodb-mms start
|
|
* Browse to https://mms.acmewidgets.com:8443
|