-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
updated certificates guide, now working
- Loading branch information
1 parent
6c0fafb
commit 018797f
Showing
5 changed files
with
96 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,7 @@ | ||
reports/** | ||
inputs.yml | ||
local-test.yml | ||
*.pem | ||
*.pem | ||
*.csr | ||
*.crt | ||
*.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,58 +1,97 @@ | ||
# Certificates | ||
# Certificates for MongoDB | ||
|
||
## DoD Certificate Authority Certificates Installation | ||
## DoD CA Certificates Installation | ||
|
||
### Obtain Certificates | ||
### Step 1: Download the PKI CA Certificate Bundles | ||
|
||
- **Download**: Access the PKI CA Certificate Bundles from the [DoD PKI/PKE Document Library](https://public.cyber.mil/pki-pke/pkipke-document-library/). | ||
- **Direct link**: For PKCS#7 Bundle V5.13, download [here](https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip). | ||
|
||
### Installation | ||
### Step 2: Extract and Convert the Certificates | ||
|
||
1. **Extract Package**: Unzip the downloaded file and follow the README for usage instructions | ||
2. **Place Certificates**: Move the certificate to the `certificates` folder. | ||
Unzip the file and follow the README for detailed instructions or use the following commands to quickly extract and convert the certificates: | ||
|
||
## Steps to Correctly Generate a Certificate and Key for MongoDB TLS/SSL: | ||
```bash | ||
cd certificates_pkcs7_v5_13_dod | ||
openssl pkcs7 -in certificates_pkcs7_v5_13_dod_der.p7b -inform der -print_certs -out dod_CAs.pem | ||
``` | ||
|
||
### Step 3: Place the Certificate | ||
|
||
Move the extracted `dod_CAs.pem` file to the `certificates` folder. | ||
|
||
This `dod_CAs.pem` file is what is required for the `net.tls.CAFile` option in the MongoDB configuration. | ||
|
||
**Note:** The file gets automatically renamed to `CA_bundle.pem` when the Ansible playbook gets run. | ||
|
||
### 1. Generate a New Private Key | ||
```yaml | ||
net: | ||
tls: | ||
mode: requireTLS | ||
CAFile: /etc/ssl/CA_bundle.pem | ||
``` | ||
|
||
## MongoDB TLS/SSL Certificate and Key Generation | ||
|
||
### Step 1: Generate a New Private Key | ||
|
||
```bash | ||
openssl genrsa -out mongodb-private.key 2048 | ||
``` | ||
|
||
This command creates a 2048-bit RSA private key. | ||
This command generates a 2048-bit RSA private key, named `mongodb-private.key`, which is used for creating a CSR and signing the certificate. | ||
|
||
### 2. Generate a Certificate Signing Request (CSR) | ||
### Step 2: Generate a Certificate Signing Request (CSR) | ||
|
||
```bash | ||
openssl req -new -key mongodb-private.key -out mongodb.csr | ||
``` | ||
|
||
You'll be prompted to enter details for the certificate; fill these out as they pertain to your organization or for testing purposes. | ||
|
||
### 3. Generate a Self-Signed Certificate | ||
This command generates a CSR using the previously created private key. You'll specify the necessary details for the certificate, such as setting the `Common Name` to `localhost` for local testing. | ||
|
||
If you're setting this up for testing purposes or internal use, you can generate a self-signed certificate: | ||
### Step 3: Generate a Self-Signed Certificate | ||
|
||
```bash | ||
openssl x509 -req -days 365 -in mongodb.csr -signkey mongodb-private.key -out mongodb-cert.pem | ||
openssl x509 -req -days 397 -in mongodb.csr -signkey mongodb-private.key -out mongodb-cert.crt | ||
``` | ||
|
||
This creates a certificate that's valid for 365 days. | ||
This command creates a self-signed X.509 certificate using the CSR and the private key. The certificate is output as `mongodb-cert.crt`. | ||
|
||
### 4. Combine Private Key and Certificate into One PEM File | ||
|
||
MongoDB expects the private key and the certificate to be in the same PEM file for `net.tls.certificateKeyFile`: | ||
### Step 4: Combine Private Key and Certificate into One PEM File | ||
|
||
```bash | ||
cat mongodb-private.key mongodb-cert.pem > mongodb.pem | ||
cat mongodb-private.key mongodb-cert.crt > mongodb.pem | ||
``` | ||
|
||
This `mongodb.pem` file is what you should reference in your MongoDB configuration: | ||
This command concatenates the private key and the certificate into a single file called `mongodb.pem`, which MongoDB requires for its `net.tls.certificateKeyFile` configuration. | ||
|
||
This `mongodb.pem` file is what is being referenced in the MongoDB configuration: | ||
|
||
```yaml | ||
net: | ||
tls: | ||
mode: requireTLS | ||
certificateKeyFile: /etc/ssl/mongodb.pem | ||
tls: | ||
mode: requireTLS | ||
certificateKeyFile: /etc/ssl/mongodb.pem | ||
``` | ||
|
||
### Step 5: Append Certificate to Trusted CA Bundle and Move PEM File | ||
|
||
```bash | ||
mv mongodb.pem mongodb-cert.crt certificates/ | ||
cat mongodb-cert.crt >> dod_CAs.pem | ||
``` | ||
|
||
Move the `mongodb.pem` and `mongodb-cert.crt` files to the designated `certificates` directory. Then, append the MongoDB certificate from `mongodb-cert.crt` to your list of trusted Certificate Authorities in `dod_CAs.pem`. This setup ensures that MongoDB utilizes the certificate for secure connections and that the system recognizes it as a trusted source. | ||
|
||
### Alternative Configuration: One-Command Setup | ||
|
||
For a streamlined setup, you can execute all steps with a single condensed command: | ||
|
||
```bash | ||
openssl genrsa -out mongodb-private.key 2048 && \ | ||
openssl req -new -key mongodb-private.key -out mongodb.csr -subj '/C=US/ST=VA/L=McLean/O=MITRE/OU=MITRE SAF/CN=localhost' && \ | ||
openssl x509 -req -days 397 -in mongodb.csr -signkey mongodb-private.key -out mongodb-cert.crt && \ | ||
cat mongodb-private.key mongodb-cert.crt > mongodb.pem && \ | ||
mv mongodb.pem mongodb-cert.crt certificates/ && \ | ||
cat certificates/mongodb-cert.crt >> certificates/dod_CAs.pem | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters