updated certificates guide, now working

.gitignore

@@ -1,4 +1,7 @@
 reports/**
 inputs.yml
 local-test.yml
-*.pem
+*.pem
+*.csr
+*.crt
+*.key

README.md

@@ -42,7 +42,14 @@ A workflow for hardening a MongoDB container against a STIG using Packer and Ans
    Execute the following command to run the hardened Mongo image:
 
    ```
-   docker run -d --name mongo-hardened -p 27017:27017 -v mongodb_configdb:/data/configdb -v mongodb_db:/data/db mongo-hardened --config /etc/mongod.conf
+   docker run -d \                                                                     ─╯
+   --name mongo-hardened \
+   -p 27017:27017 \
+   -v mongodb_configdb:/data/configdb \
+   -v mongodb_db:/data/db \
+   -e PATH="/usr/local/src/openssl-3.1.0/apps:$PATH" \
+   -e LD_LIBRARY_PATH="LD_LIBRARY_PATH=/usr/local/src/openssl-3.1.0:$LD_LIBRARY_PATH" \
+   mongo-hardened --config /etc/mongod.conf
    ```
 
 ## Notes

certificates/README.md

@@ -1,58 +1,97 @@
-# Certificates
+# Certificates for MongoDB
 
-## DoD Certificate Authority Certificates Installation
+## DoD CA Certificates Installation
 
-### Obtain Certificates
+### Step 1: Download the PKI CA Certificate Bundles
 
 - **Download**: Access the PKI CA Certificate Bundles from the [DoD PKI/PKE Document Library](https://public.cyber.mil/pki-pke/pkipke-document-library/).
   - **Direct link**: For PKCS#7 Bundle V5.13, download [here](https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip).
 
-### Installation
+### Step 2: Extract and Convert the Certificates
 
-1.  **Extract Package**: Unzip the downloaded file and follow the README for usage instructions
-2.  **Place Certificates**: Move the certificate to the `certificates` folder.
+Unzip the file and follow the README for detailed instructions or use the following commands to quickly extract and convert the certificates:
 
-## Steps to Correctly Generate a Certificate and Key for MongoDB TLS/SSL:
+```bash
+cd certificates_pkcs7_v5_13_dod
+openssl pkcs7 -in certificates_pkcs7_v5_13_dod_der.p7b -inform der -print_certs -out dod_CAs.pem
+```
+
+### Step 3: Place the Certificate
+
+Move the extracted `dod_CAs.pem` file to the `certificates` folder.
+
+This `dod_CAs.pem` file is what is required for the `net.tls.CAFile` option in the MongoDB configuration.
+
+**Note:** The file gets automatically renamed to `CA_bundle.pem` when the Ansible playbook gets run.
 
-### 1. Generate a New Private Key
+```yaml
+net:
+	tls:
+		mode: requireTLS
+		CAFile: /etc/ssl/CA_bundle.pem
+```
+
+## MongoDB TLS/SSL Certificate and Key Generation
+
+### Step 1: Generate a New Private Key
 
 ```bash
 openssl genrsa -out mongodb-private.key 2048
 ```
 
-This command creates a 2048-bit RSA private key.
+This command generates a 2048-bit RSA private key, named `mongodb-private.key`, which is used for creating a CSR and signing the certificate.
 
-### 2. Generate a Certificate Signing Request (CSR)
+### Step 2: Generate a Certificate Signing Request (CSR)
 
 ```bash
 openssl req -new -key mongodb-private.key -out mongodb.csr
 ```
 
-You'll be prompted to enter details for the certificate; fill these out as they pertain to your organization or for testing purposes.
-
-### 3. Generate a Self-Signed Certificate
+This command generates a CSR using the previously created private key. You'll specify the necessary details for the certificate, such as setting the `Common Name` to `localhost` for local testing.
 
-If you're setting this up for testing purposes or internal use, you can generate a self-signed certificate:
+### Step 3: Generate a Self-Signed Certificate
 
 ```bash
-openssl x509 -req -days 365 -in mongodb.csr -signkey mongodb-private.key -out mongodb-cert.pem
+openssl x509 -req -days 397 -in mongodb.csr -signkey mongodb-private.key -out mongodb-cert.crt
 ```
 
-This creates a certificate that's valid for 365 days.
+This command creates a self-signed X.509 certificate using the CSR and the private key. The certificate is output as `mongodb-cert.crt`.
 
-### 4. Combine Private Key and Certificate into One PEM File
-
-MongoDB expects the private key and the certificate to be in the same PEM file for `net.tls.certificateKeyFile`:
+### Step 4: Combine Private Key and Certificate into One PEM File
 
 ```bash
-cat mongodb-private.key mongodb-cert.pem > mongodb.pem
+cat mongodb-private.key mongodb-cert.crt > mongodb.pem
 ```
 
-This `mongodb.pem` file is what you should reference in your MongoDB configuration:
+This command concatenates the private key and the certificate into a single file called `mongodb.pem`, which MongoDB requires for its `net.tls.certificateKeyFile` configuration.
+
+This `mongodb.pem` file is what is being referenced in the MongoDB configuration:
 
 ```yaml
 net:
-  tls:
-    mode: requireTLS
-    certificateKeyFile: /etc/ssl/mongodb.pem
+	tls:
+		mode: requireTLS
+		certificateKeyFile: /etc/ssl/mongodb.pem
+```
+
+### Step 5: Append Certificate to Trusted CA Bundle and Move PEM File
+
+```bash
+mv mongodb.pem mongodb-cert.crt certificates/
+cat mongodb-cert.crt >> dod_CAs.pem
+```
+
+Move the `mongodb.pem` and `mongodb-cert.crt` files to the designated `certificates` directory. Then, append the MongoDB certificate from `mongodb-cert.crt` to your list of trusted Certificate Authorities in `dod_CAs.pem`. This setup ensures that MongoDB utilizes the certificate for secure connections and that the system recognizes it as a trusted source.
+
+### Alternative Configuration: One-Command Setup
+
+For a streamlined setup, you can execute all steps with a single condensed command:
+
+```bash
+openssl genrsa -out mongodb-private.key 2048 && \
+openssl req -new -key mongodb-private.key -out mongodb.csr -subj '/C=US/ST=VA/L=McLean/O=MITRE/OU=MITRE SAF/CN=localhost' && \
+openssl x509 -req -days 397 -in mongodb.csr -signkey mongodb-private.key -out mongodb-cert.crt && \
+cat mongodb-private.key mongodb-cert.crt > mongodb.pem && \
+mv mongodb.pem mongodb-cert.crt certificates/ && \
+cat certificates/mongodb-cert.crt >> certificates/dod_CAs.pem
 ```

spec/ansible/roles/mongo-stig/defaults/main.yml

@@ -24,7 +24,7 @@ mongo_audit_file_path: /var/log/mongodb/audit/auditLog.bson
 
 certificate_key_file_dest: /etc/ssl/mongodb.pem
 certificate_key_file_src: ../../../../certificates/mongodb.pem
-ca_file_dest: /etc/ssl/caToValidateClientCertificates.pem
+ca_file_dest: /etc/ssl/CA_bundle.pem
 ca_file_src: ../../../../certificates/dod_CAs.pem
 
 data_file_directory_path: /data/db/

spec/ansible/roles/mongo-stig/tasks/cat1.yml

@@ -1,24 +1,24 @@
 ---
-# - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords."
-#   yedit:
-#     src: "{{ mongod_config_path }}"
-#     edits:
-#     - key: net.tls.mode
-#       value: requireTLS
-#     - key: net.tls.certificateKeyFile
-#       value: "{{ certificate_key_file_dest }}"
-#     - key: net.tls.CAFile
-#       value: "{{ ca_file_dest }}"
-#     - key: net.tls.allowInvalidCertificates
-#       value: false
-#     - key: net.tls.allowConnectionsWithoutCertificates
-#       value: false
-#   ignore_errors: true
-#   tags:
-#     - cat1
-#     - high
-#     - SV-252139
-#     - enterprise
+- name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords."
+  yedit:
+    src: "{{ mongod_config_path }}"
+    edits:
+    - key: net.tls.mode
+      value: requireTLS
+    - key: net.tls.certificateKeyFile
+      value: "{{ certificate_key_file_dest }}"
+    - key: net.tls.CAFile
+      value: "{{ ca_file_dest }}"
+    - key: net.tls.allowInvalidCertificates
+      value: false
+    - key: net.tls.allowConnectionsWithoutCertificates
+      value: false
+  ignore_errors: true
+  tags:
+    - cat1
+    - high
+    - SV-252139
+    - enterprise
 
 # - name: "HIGH | SV-252146 | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations."
 #   yedit: