Creating a user certificate is similar to creating a member certificate. The main differences are:
•The user configuration lacks the alt_names section which specifies the Subject Alternate Names. Subject Alternate Names are used by servers but are not used to authenticate users.
•The user configuration has the codesign_reqext section that specifies keyUsage and extendedKeyUsage, as required by MongoDB.
•The OU in the certificate request has been changed from MongoDBServer to MongoDBUser. You can use whatever names you wish for the organizational unit. Just be sure that the subject of a user certificate differs from the subjects of your server certificates as required by MongoDB.
•The openssl req command uses the request_user.cfg file instead of the request_member.cfg file.
•The resulting .PEM file will be named to indicate that it is a user certificate rather than a member certificate.
1.Open a command window.
2.Change directories to C:\ca.
3.Set the HOME environmental variable with this command:
SET HOME=C:\MinGW\msys\1.0
4.Create a configuration file for the request like the one below. Name it request_user.cfg.
5.Modify the configuration file with the desired values of the distinguished name.
6.Perform this OpenSSL command, referencing the configuration file. The command will prompt you for the fields. You can accept the default values by entering just typing the Enter key.
openssl req -nodes -newkey rsa:2024 -keyout testkey.key -config request_user.cfg -out testreq.csr
Note: The -nodes (no DES) option must be used. Otherwise, the openssl command prompts for a password and encrypts the private key.
7.View the request with this command:
openssl req -in testreq.csr -text -noout | more
The process produces two file:
•testkey.key which is the private key for user.
•testreq.csr which is the certificate request needed for the next step.
###############################################################################
# User Certificate Request Configuration File
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = yes # Prompt for DN
distinguished_name = codesign_dn # DN template
req_extensions = codesign_reqext # Desired request extensions
[ codesign_dn ]
commonName = "Common Name (eg, server name )"
commonName_max = 64
organizationalUnitName = "Organizational Unit Name (eg, section)"
organizationalUnitName_default = MongoDBUser
organizationName = "Organization Name (eg, company)"
organizationName_default = Waysys LLC
stateOrProvinceName = "State Name (eg, region)"
stateOrProvinceName_default = North Carolina
countryName = "Country Name (2 letters) (eg, US)"
countryName_max = 2
countryName_default = US
1.domainComponent = "Second domain component (eg. waysysweb)"
1.domainComponent_default = waysysweb
0.domainComponent = "First domain componenet (eg. com)"
0.domainComponent_default = com
[ codesign_reqext ]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
•If the HOME environmental variable is not set, OpenSSL will issue an error:
unable to write 'random state'
•Piping the output from the OpenSSL command to more produces an output that is more readable than the raw output from the OpenSSL command.