This software is specifically designed to work with MongoDB Server to quickly create a test SSL environment. Official MongoDB Support is not provided for this, use at your own RISK.
This shell-script creates and maintains the simple private Certificate Authority which you can use to issue the SSL client and server certificates for mongod.
Requirements: Bash 3.x or later, OpenSSL, sed, mktemp, tar, /dev/urandom.
Tested on: macOS High Sierra + LibreSSL, Red Hat Enterprise Linux 7.
1.1. Run the script to generate the MongoDB-demo-CA directory and the default configuration file .ca_settings.sh:
$ ls
ca_mongodb.sh
$ ./ca_mongodb.sh
[INFO] Generating initial settings file /home/abr/tmp/MongoDB-demo-CA/.ca_settings.sh
[INFO] Please modify the default values for the COUNTRY, STATE, LOCALITY, CLUSTER_ORG_UNIT and CLIENT_ORG_UNIT in the /home/abr/tmp/MongoDB-demo-CA/.ca_settings.sh file.
[INFO] Make sure that CLUSTER_ORG_UNIT and CLIENT_ORG_UNIT have different values if you're going to generate and use client certificates!
[INFO] Once you finish editing the /home/abr/tmp/MongoDB-demo-CA/.ca_settings.sh file, perform the initialization by running this script with the following parameter: initial_ca_init. For example:
[INFO] ./ca_mongodb.sh initial_ca_init
$ nano ./MongoDB-demo-CA/.ca_settings.sh
Feel free to change the following variables:
COUNTRY: Country abbreviation;STATE: State abbreviation;LOCALITY: City;ORG: Organization name;CLUSTER_ORG_UNIT: Organizational unit name formongodhosts;CLIENT_ORG_UNIT: Organizational unit name formongodclient certificates.
$ ./ca_mongodb.sh initial_ca_init
[INFO] CA path is: /home/abr/tmp/MongoDB-demo-CA
[INFO] Creating private key for root CA...
Generating RSA private key, 4096 bit long modulus
................................................................................................................................................................................................++
...........................................................................................................................................................................................................++
e is 65537 (0x10001)
[INFO] Creating self-signed root CA certificate
[INFO] Root CA certificate created:
subject= /C=US/ST=NY/L=New York/O=ACME/CN=ACME ROOT CA
[INFO] Root CA file (PEM format - use this for UNIX/Linux): /home/abr/tmp/MongoDB-demo-CA/root/certs/root.ca.crt.pem
[INFO] Root CA file (DER format - use this for MS Windows): /home/abr/tmp/MongoDB-demo-CA/root/certs/root.ca.crt.der
[INFO] Use it for the net.ssl.CAFile configuration option in a mongod.conf (PEM format).
[INFO] How to import this into MS Windows Trusted Root Certification Authorities store:
[INFO] https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx
[INFO] Generating CRL
Using configuration from /home/abr/tmp/MongoDB-demo-CA/openssl.cnf
[INFO] Successfully generated CRL file: /home/abr/tmp/MongoDB-demo-CA/root/crl/ca.crl.pem which will expire in 3650 days. If you're using CRLs in your MongoDB deployment (net.ssl.CRLFile configuration option is defined in mongod.conf), new CRL file needs to be transferred to all hosts in the MongoDB deployment. Those mongod and mongos instances need to be restarted in a rolling manner to make this change effective. When the CRL file expires, MongoDB will stop accepting all new SSL connections until a new CRL file is generated and MongoDB services are restarted.
[INFO] Oki dockie!
$ ./ca_mongodb.sh create_and_sign_cert CLUSTER rhel73 rhel-73.acme.qa 10.211.55.20
(OpenSSL output skipped)
[INFO] Server certificate created: /home/abr/tmp/MongoDB-demo-CA/root/private/rhel73.pem
[INFO] Use it for the net.ssl.PEMKeyFile MongoDB Server configuration option
[INFO] Oki dockie!
Parameters:
create_and_sign_cert: Certificate request creation & signing mode.CLUSTER: A constant, indicating that the server certificate will be created.rhel73: The name for this particular certificate inside Certificate Authority. Certificate's filenames will be derived from this parameter.rhel-73.acme.qa 10.211.55.20: The space-separated list of hostnames and IP addresses for the certificate. The first value in the list goes to the Common Name field in the certificate, and the whole list will be represented in the X509v3 Subject Alternative Name field.
systemLog:
destination: file
logAppend: false
path: /home/abr/tmp/mongod.log
storage:
dbPath: /home/abr/tmp/data
journal:
enabled: true
processManagement:
fork: true
pidFilePath: /home/abr/tmp/mongod.pid
net:
port: 28000
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: /home/abr/tmp/MongoDB-demo-CA/root/private/rhel73.pem
CAFile: /home/abr/tmp/MongoDB-demo-CA/root/certs/root.ca.crt.pem
$ mkdir -p /home/abr/tmp/data
$ mongod -f /home/abr/tmp/mongod.conf
$ ./ca_mongodb.sh create_and_sign_cert CLIENT shell 'MongoDB Shell'
(OpenSSL output skipped)
[INFO] Client certificate created: /home/abr/tmp/MongoDB-demo-CA/root/private/shell.pem
[INFO] Here's an example how to add to MongoDB Server by using MongoDB Shell:
[INFO] > db.getSiblingDB('$external').createUser({ user: 'CN=MongoDB Shell,OU=Development MongoDB Clients,O=ACME,ST=NY,C=US', roles: [ { role: 'root', db: 'admin' } ] });
[INFO] Oki dockie!
Parameters:
create_and_sign_cert: Certificate request creation & signing mode.CLIENT: A constant, indicating that the client certificate will be created.shell: The name for this particular certificate inside Certificate Authority. Certificate's filenames will be derived from this parameter.'MongoDB Shell': Client certificate's Common Name
$ mongo --ssl --host 10.211.55.20 --port 28000 --sslCAFile /home/abr/tmp/MongoDB-demo-CA/root/certs/root.ca.crt.pem --sslPEMKeyFile /home/abr/tmp/MongoDB-demo-CA/root/private/shell.pem
MongoDB shell version v3.6.3
connecting to: mongodb://10.211.55.20:28000/
MongoDB server version: 3.6.3
MongoDB Enterprise >
MongoDB Enterprise > db.getSiblingDB('$external').createUser({ user: 'CN=MongoDB Shell,OU=Development MongoDB Clients,O=ACME,ST=NY,C=US', roles: [ { role: 'root', db: 'admin' } ] });
Successfully added user: {
"user" : "CN=MongoDB Shell,OU=Development MongoDB Clients,O=ACME,ST=NY,C=US",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
security:
authorization: enabled
setParameter:
authenticationMechanisms: "MONGODB-X509"
$ killall mongod
$ mongod -f ./mongod.conf
$ mongo --ssl --host 10.211.55.20 --port 28000 --sslCAFile /home/abr/tmp/MongoDB-demo-CA/root/certs/root.ca.crt.pem --sslPEMKeyFile /home/abr/tmp/MongoDB-demo-CA/root/private/shell.pem -u 'CN=MongoDB Shell,OU=Development MongoDB Clients,O=ACME,ST=NY,C=US' --authenticationMechanism MONGODB-X509 --authenticationDatabase '$external'
MongoDB shell version v3.6.3
connecting to: mongodb://10.211.55.20:28000/
MongoDB server version: 3.6.3
MongoDB Enterprise >
$ ./ca_mongodb.sh
[INFO] CA path is: /home/abr/tmp/MongoDB-demo-CA
[INFO] Simple MongoDB Certification Authority demo app welcomes you!
Usage: ./ca_mongodb.sh function parameter(s)
Functions:
initial_ca_init
backup_ca
restore_ca backup.tar.bz2
create_and_sign_cert CLUSTER rs0 rs0.host.name rs0.alternate.name 127.0.0.1 192.168.0.1
create_and_sign_cert CLIENT devclient 'Development Client Common Name'
revoke_certificate rs0
generate_crl
[INFO] Oki dockie!