[DOCS-4436] Add a section to the docs showing how to create a keystore Created: 27/Nov/14 Updated: 30/Oct/23 Resolved: 27/Dec/18 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual |
| Affects Version/s: | None |
| Fix Version/s: | Server_Docs_20231030 |
| Type: | Improvement | Priority: | Minor - P4 |
| Reporter: | James O'Leary | Assignee: | Ravind Kumar (Inactive) |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Days since reply: | 5 years, 6 weeks, 6 days ago | ||||||||
| Story Points: | 2.5 | ||||||||
| Description |
|
We should update the documentation to include a section on generating a PEM file and adding it to a keystore in the enterprise section of the documentation |
| Comments |
| Comment by Ravind Kumar (Inactive) [ 27/Dec/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The new Appendix section should sufficiently cover this request. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Ricardo Lorenzo [ 28/Nov/14 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
1) Generate a X.509 CA cert and key
Optionally you can create a subordinate CA to sign the server certificates if you don't want to use the root CA certificate.
2) Create a PEM from the cert and key for mongo server
Then you can sign the server certificate request using your CA.
Now you must add the certificate and the key (PEM format) into a single file:
3a) Verify and test your server certificate
Note: You will have to do steps 2) and 3a) for each server. 3b) Ensure that mongod has been started in SSL mode For Example:
4) Test that the mongodb shell can access the server in SSL mode
Note: Depending on the SSL mode selected, you cannot connect if you do not use --ssl with the mongo shell. 5) Generate a Java™ key store (JKS) file using the JDK keytool program
Note: /PATH/TO for the cert and the keystore may be different, you can decide where they go. 6) Start JVM with required System Properties for SSL
Note: HOSTNAME should match the CN (Common Name) as described in point (3b. Test the keys and connectivity with the following simple java class
|