create_server_certificates.md

Generating Server Certificates

Generating the Certificate Authority Key

openssl genrsa -out mongodb-ca.key 4096

Create the config for CA certificate

COUNTRY=UK
PROVINCE=State1
CITY=City1
COMPANY=WidgetWorld
ORGANIZATION_UNIT=UnitA
EMAIL=test@test.com

echo "
# For the CA policy
[ policy_match ]
countryName                 = match
stateOrProvinceName         = match
organizationName            = match
organizationalUnitName      = optional
commonName                  = supplied
emailAddress                = optional

[ req ]
default_bits                = 4096
default_keyfile             = mongo-cert.key
default_md                  = sha256
prompt                      = no
distinguished_name          = req_dn
req_extensions              = v3_req
x509_extensions             = v3_ca

[ v3_req ]
subjectKeyIdentifier        = hash
basicConstraints            = CA:FALSE
keyUsage                    = critical, digitalSignature, keyEncipherment
extendedKeyUsage            = serverAuth, clientAuth

[ req_dn ]
countryName                 = $COUNTRY
stateOrProvinceName         = $PROVINCE
localityName                = $CITY
organizationName            = $COMPANY
organizationalUnitName      = $ORGANIZATION_UNIT
emailAddress                = $EMAIL

[ v3_ca ]
# Extensions for a typical CA

subjectKeyIdentifier        = hash
basicConstraints            = critical,CA:true
authorityKeyIdentifier      = keyid:always,issuer:always" | tee ca.conf

Create the CA Certificate

openssl req -new -x509 -days 365 -key mongodb-ca.key -out mongodb-ca.crt -config ca.conf

Generate Host certificates

Generate a private key for each of the hosts

openssl genrsa -out host1.key 4096;
openssl genrsa -out host2.key 4096;
openssl genrsa -out host3.key 4096;

Create the config for each host

##################
## SET THE 3 HOST NAMES 
##################

HOSTNAME1=host1.fully.qualified.name
HOSTNAMEALT1=host1.alt.full.qualified.name

HOSTNAME2=host2.fully.qualified.name
HOSTNAMEALT2=host2.alt.full.qualified.name

HOSTNAME3=host3.fully.qualified.name
HOSTNAMEALT3=host3.alt.full.qualified.name

#############################

echo "
[ req ]
default_bits                = 4096
distinguished_name          = req_distinguished_name
req_extensions              = req_ext
prompt                      = no

[ req_distinguished_name ]
countryName                 = $COUNTRY
stateOrProvinceName         = $PROVINCE
localityName                = $CITY
organizationalUnitName      = $COMPANY
organizationalUnitName      = $ORGANIZATION_UNIT
emailAddress                = $EMAIL
commonName                  = $HOSTNAME1

[ req_ext ]
subjectAltName              = @alt_names

[alt_names]
DNS.1                       = $HOSTNAME1
DNS.2                       = $HOSTNAMEALT1" | tee host1.conf

echo "
[ req ]
default_bits                = 4096
distinguished_name          = req_distinguished_name
req_extensions              = req_ext
prompt                      = no

[ req_distinguished_name ]
countryName                 = $COUNTRY
stateOrProvinceName         = $PROVINCE
localityName                = $CITY
organizationalUnitName      = $COMPANY
organizationalUnitName      = $ORGANIZATION_UNIT
emailAddress                = $EMAIL
commonName                  = $HOSTNAME2

[ req_ext ]
subjectAltName              = @alt_names

[alt_names]
DNS.1                       = $HOSTNAME2
DNS.2                       = $HOSTNAMEALT2" | tee host2.conf

echo "
[ req ]
default_bits                = 4096
distinguished_name          = req_distinguished_name
req_extensions              = req_ext
prompt                      = no

[ req_distinguished_name ]
countryName                 = $COUNTRY
stateOrProvinceName         = $PROVINCE
localityName                = $CITY
organizationalUnitName      = $COMPANY
organizationalUnitName      = $ORGANIZATION_UNIT
emailAddress                = $EMAIL
commonName                  = $HOSTNAME3

[ req_ext ]
subjectAltName              = @alt_names

[alt_names]
DNS.1                       = $HOSTNAME3
DNS.2                       = $HOSTNAMEALT3" | tee host3.conf

Create the Certificate Signing request for each host

openssl req -new -sha256  -out host1.csr -key host1.key  -config host1.conf
openssl req -new -sha256  -out host2.csr -key host2.key  -config host2.conf
openssl req -new -sha256  -out host3.csr -key host3.key  -config host3.conf

Create the Certificate for each of the hosts

 openssl x509 -req -in host1.csr -CA mongodb-ca.crt -CAkey mongodb-ca.key -CAcreateserial -out host1.crt -days 365 -sha256 -extensions req_ext -extfile host1.conf
 openssl x509 -req -in host2.csr -CA mongodb-ca.crt -CAkey mongodb-ca.key -CAcreateserial -out host2.crt -days 365 -sha256 -extensions req_ext -extfile host2.conf
 openssl x509 -req -in host3.csr -CA mongodb-ca.crt -CAkey mongodb-ca.key -CAcreateserial -out host3.crt -days 365 -sha256 -extensions req_ext -extfile host3.conf

Create the PEM key for each of the hosts

cat host1.crt host1.key > host1.pem
cat host2.crt host2.key > host2.pem
cat host3.crt host3.key > host3.pem

Verify host certificates using CA

openssl verify -verbose -CAfile mongodb-ca.crt host1.pem
openssl verify -verbose -CAfile mongodb-ca.crt host2.pem
openssl verify -verbose -CAfile mongodb-ca.crt host3.pem

open_ssl_server.md

OpenSSL server

Generate a detificate

Generate Certificate

openssl genrsa -out main_ca.key 4096

Generate Certificate

openssl req -new -x509 -days 30 -key main_ca.key -out main_ca.crt

Generate Host Key

openssl genrsa -out host.key 4096

Generate Server Signing Request

openssl req -new -sha256 -out host.csr -key host.key

Sign Certificate

openssl x509 -req -in host.csr -CA main_ca.crt -CAkey main_ca.key -CAcreateserial -out host.crt -days 365 -sha256 -extensions req_ext

Create PEM

cat host.crt host.key > host.pem

Verity

openssl verify -verbose -CAfile main_ca.crt host.pem

Start web server

openssl s_server -CAfile main_ca.crt -key host.key -cert host.pem -HTTP -port 1234 -WWW -no_tls1 -no_tls1_1