Show/Hide Toolbars

MongoDB Notes

Navigation: Digital Certificates > Creating Certificates for MongoDB

Create a Certificate Request for a User Certificate

 Scroll Prev Top Next More

 

Creating a user certificate is similar to creating a member certificate.  The main differences are:

 

The user configuration lacks the alt_names section which specifies the Subject Alternate Names.  Subject Alternate Names are used by servers but are not used to authenticate users.

The user configuration has the codesign_reqext section that specifies keyUsage and extendedKeyUsage, as required by MongoDB.

The OU in the certificate request has been changed from MongoDBServer to MongoDBUser.  You can use whatever names you wish for the organizational unit.  Just be sure that the subject of a user certificate differs from the subjects of your server certificates as required by MongoDB.

The openssl req command uses the request_user.cfg file instead of the request_member.cfg file.

The resulting .PEM file will be named to indicate that it is a user certificate rather than a member certificate.

 

Procedure

 

1.Open a command window.

2.Change directories to C:\ca.

3.Set the HOME environmental variable with this command:

 

SET HOME=C:\MinGW\msys\1.0

 

4.Create a configuration file for the request like the one below.  Name it request_user.cfg.  

5.Modify the configuration file with the desired values of the distinguished name.

6.Perform this OpenSSL command, referencing the configuration file.  The command will prompt you for the fields.  You can accept the default values by entering just typing the Enter key.

 

openssl req -nodes -newkey rsa:2024 -keyout testkey.key -config request_user.cfg -out testreq.csr

 

Note: The -nodes (no DES) option must be used.  Otherwise, the openssl command prompts for a password and encrypts the private key.

 

7.View the request with this command:

 

openssl req -in testreq.csr -text -noout | more

 

The process produces two file:

testkey.key which is the private key for user.

testreq.csr which is the certificate request needed for the next step.

 

Example Configuration File for a User Certificate Request

 

###############################################################################

# User Certificate Request Configuration File

 

[ req ]

default_bits            = 2048                  # RSA key size

encrypt_key             = yes                   # Protect private key

default_md              = sha1                  # MD to use

utf8                    = yes                   # Input is UTF-8

string_mask             = utf8only              # Emit UTF-8 strings

prompt                  = yes                   # Prompt for DN

distinguished_name      = codesign_dn           # DN template

req_extensions          = codesign_reqext       # Desired request extensions

 

[ codesign_dn ]

commonName              = "Common Name         (eg, server name )"

commonName_max          = 64

organizationalUnitName  = "Organizational Unit Name (eg, section)"

organizationalUnitName_default = MongoDBUser

organizationName        = "Organization Name        (eg, company)"

organizationName_default = Waysys LLC

stateOrProvinceName     = "State Name                (eg, region)"

stateOrProvinceName_default = North Carolina

countryName             = "Country Name (2 letters)      (eg, US)"

countryName_max         = 2

countryName_default     = US

1.domainComponent       = "Second domain component (eg. waysysweb)"

1.domainComponent_default = waysysweb

0.domainComponent       = "First domain componenet      (eg. com)"

0.domainComponent_default = com

 

 

[ codesign_reqext ]

keyUsage                = digitalSignature

extendedKeyUsage        = clientAuth

 

Issues

 

If the HOME environmental variable is not set, OpenSSL will issue an error:

 

unable to write 'random state'

 

Piping the output from the OpenSSL command to more produces an output that is more readable than the raw output from the OpenSSL command.