Generating Server Certificates
Generating the Certificate Authority Key
openssl genrsa -out mongodb-ca.key 4096
Create the config for CA certificate
COUNTRY=UK
PROVINCE=State1
CITY=City1
COMPANY=WidgetWorld
ORGANIZATION_UNIT=UnitA
EMAIL=test@test.com
echo "
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
default_keyfile = mongo-cert.key
default_md = sha256
prompt = no
distinguished_name = req_dn
req_extensions = v3_req
x509_extensions = v3_ca
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ req_dn ]
countryName = $COUNTRY
stateOrProvinceName = $PROVINCE
localityName = $CITY
organizationName = $COMPANY
organizationalUnitName = $ORGANIZATION_UNIT
emailAddress = $EMAIL
[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
authorityKeyIdentifier = keyid:always,issuer:always" | tee ca.conf
Create the CA Certificate
openssl req -new -x509 -days 365 -key mongodb-ca.key -out mongodb-ca.crt -config ca.conf
Generate Host certificates
Generate a private key for each of the hosts
openssl genrsa -out host1.key 4096;
openssl genrsa -out host2.key 4096;
openssl genrsa -out host3.key 4096;
Create the config for each host
##################
## SET THE 3 HOST NAMES
##################
HOSTNAME1=host1.fully.qualified.name
HOSTNAMEALT1=host1.alt.full.qualified.name
HOSTNAME2=host2.fully.qualified.name
HOSTNAMEALT2=host2.alt.full.qualified.name
HOSTNAME3=host3.fully.qualified.name
HOSTNAMEALT3=host3.alt.full.qualified.name
#############################
echo "
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = $COUNTRY
stateOrProvinceName = $PROVINCE
localityName = $CITY
organizationalUnitName = $COMPANY
organizationalUnitName = $ORGANIZATION_UNIT
emailAddress = $EMAIL
commonName = $HOSTNAME1
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = $HOSTNAME1
DNS.2 = $HOSTNAMEALT1" | tee host1.conf
echo "
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = $COUNTRY
stateOrProvinceName = $PROVINCE
localityName = $CITY
organizationalUnitName = $COMPANY
organizationalUnitName = $ORGANIZATION_UNIT
emailAddress = $EMAIL
commonName = $HOSTNAME2
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = $HOSTNAME2
DNS.2 = $HOSTNAMEALT2" | tee host2.conf
echo "
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = $COUNTRY
stateOrProvinceName = $PROVINCE
localityName = $CITY
organizationalUnitName = $COMPANY
organizationalUnitName = $ORGANIZATION_UNIT
emailAddress = $EMAIL
commonName = $HOSTNAME3
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = $HOSTNAME3
DNS.2 = $HOSTNAMEALT3" | tee host3.conf
Create the Certificate Signing request for each host
openssl req -new -sha256 -out host1.csr -key host1.key -config host1.conf
openssl req -new -sha256 -out host2.csr -key host2.key -config host2.conf
openssl req -new -sha256 -out host3.csr -key host3.key -config host3.conf
Create the Certificate for each of the hosts
openssl x509 -req -in host1.csr -CA mongodb-ca.crt -CAkey mongodb-ca.key -CAcreateserial -out host1.crt -days 365 -sha256 -extensions req_ext -extfile host1.conf
openssl x509 -req -in host2.csr -CA mongodb-ca.crt -CAkey mongodb-ca.key -CAcreateserial -out host2.crt -days 365 -sha256 -extensions req_ext -extfile host2.conf
openssl x509 -req -in host3.csr -CA mongodb-ca.crt -CAkey mongodb-ca.key -CAcreateserial -out host3.crt -days 365 -sha256 -extensions req_ext -extfile host3.conf
Create the PEM key for each of the hosts
cat host1.crt host1.key > host1.pem
cat host2.crt host2.key > host2.pem
cat host3.crt host3.key > host3.pem
Verify host certificates using CA
openssl verify -verbose -CAfile mongodb-ca.crt host1.pem
openssl verify -verbose -CAfile mongodb-ca.crt host2.pem
openssl verify -verbose -CAfile mongodb-ca.crt host3.pem