/munetakaJupyterHub/Computer/MongoDB/x.509-Final/.ipynb_checkpoints/SelfSignedMongoDB-checkpoint.md

§2023-07-29

Generating the X.509 Certificates
機器：　orgpi5Arch.yushei.net
- generate a Private Key, mongoDB.key
- using this mongoDB.key to crate a mongoDB.CA valid for 395 days
- using mongoDB.key and mongoCA.crt to create orgpi5Aach.yushei.net.pem

[alexlai@orpi5Arch ~]$ mkdir x.509 && cd $_
[alexlai@orpi5Arch x.509]$ pwd
/opt/xfs/home/alexlai/x.509

¶ Step 0, openssl.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = TW
ST = Taiwan
L = Taichung
O = YuShei Ltd.,
OU = Computer Department
CN = yushei.net
emailAddress = alexlai@munetaka.me

# the followings are the same
# countryName = Country Name (2 letter code)
# stateOrProvinceName = State or Province Name (full name)
# localityName = Locality Name (eg, city)
# organizationName = Organization Name (eg, company)
# organizationalUnitName        = Organizational Unit Name (eg, section)
# commonName = Common Name (e.g., your domain or server name)
# emailAddresss = Email Address (e.g., yourname@example.com)

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = orgpi5arch.yushei.net
DNS.2 = hc4Jammy.yushei.net
DNS.3 = hc4MnMin.yushei.net
DNS.4 = n2Mnjaro.yushei.net
DNS.5 = h2Jammy.yushei.net
DNS.6 = h2Nnas01.yushei.net
DNS.7 = *.yushei.net

¶Step 1. Generating the X.509 Certificates

An X.509 certificate needs to be generated for each of our nodes. You will act as the CA so we will sign them ourselves. To do this we firstly create a private key, issue a CA certificate and thereafter issue 3 more certificates for each MongoDB node.

1.1 Generate a private Key

Generate an RSA private key, AES 256-bit encryption and a key size of 8192 bits, and output it to a file named mongoCA.KEY as a private key:

$ mkdir x.509 && cd $_
[alexlai@x8664Arch x.509]$ openssl genrsa -out mongoCA.key -aes256 2048 # 8192  more bits will take time in encryption and descrytion
                                                                        # 2048 is a good choice
 
Enter PEM pass phrase:   (TxxxxYxxLxx#1nnn)
Verifying - Enter PEM pass phrase:
$ ls -l
total 8
-rw------- 1 alexlai alexlai 6554  7月 29 09:53 mongoCA.key

1.2 Generate a self-signed X.509 certificate with the provided RSA private key ("mongoCA.key"). This certificate will be valid for 365 +30 days, and it is intended to be used as a Certificate Authority (CA) certificate.

$ openssl req -x509 -new  -key mongoCA.key -days 365 -out mongoCA.crt -config openssl.cnf 
Enter pass phrase for mongoCA.key:

openssl x509 -noout -text -in mongoCA.crt to see

&paral;Step 2, Using genCertificate.sh

#!/bin/bash

if [ "$1" = "" ]; then
  echo 'hostname is fully qualified name, i.e. orgPi5Arch.yushei.net'
  echo 'Please enter your hostname (CN):'
  exit 1
fi

HOST_NAME="$1"
SUBJECT="/C=Tw/ST=Taiwan/L=Taichung/O=yushei.net/OU=ComputerDepartment/CN=$HOST_NAME"

# Generate the CSR with the SAN extension
openssl req -new -nodes -newkey rsa:4096 -subj "$SUBJECT" -keyout "$HOST_NAME.key" -out "$HOST_NAME.csr" -config openssl.cnf

# Sign the certificate with the SAN extension
openssl x509 -CA mongoCA.crt -CAkey mongoCA.key -CAcreateserial -req -days 395 -in "$HOST_NAME.csr" -out "$HOST_NAME.crt" -extensions v3_req -extfile openssl.cnf

# Concatenate the key and certificate into a PEM file
cat "$HOST_NAME.key" "$HOST_NAME.crt" > "$HOST_NAME.pem"

# Clean up temporary files
# rm "$HOST_NAME.key" "$HOST_NAME.crt" "$HOST_NAME.csr"

$HOST_NAME.key: Represents the private key, not the public key. The private key is a crucial component of an SSL/TLS certificate and should be kept secret by the server. It is used for decrypting encrypted data sent by clients.
$HOST_NAME.crt: Represents the signed SSL/TLS certificate,
- which contains the public key
- and other information about the server.
- The certificate is meant to be publicly available so that clients can verify the authenticity of the server and establish a secure connection.

2.1 issue a certificate for orgpi5Arch.yushei.net

$[alexlai@orpi5Arch x.509]$ ./genCertificate.sh orgpi5arch.yushei.net
-----
Certificate request self-signature ok
subject=C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = orgpi5arch.yushei.net
Enter pass phrase for mongoCA.key:

[alexlai@orpi5Arch x.509]$ ls -l$ openssl x509 -noout -text -in orgpi5arch.yushei.net.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            63:1b:a6:76:c5:64:12:32:77:0d:0f:1c:c5:f9:c8:97:54:49:25:3b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = TW, ST = Taiwan, L = Taichung, O = "YuShei Ltd.,", OU = Computer Department, CN = yushei.net, emailAddress = alexlai@munetaka.me
        Validity
            Not Before: Aug  3 07:29:05 2023 GMT
            Not After : Sep  1 07:29:05 2024 GMT
        Subject: C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = orgpi5arch.yushei.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ad:2b:ad:99:0f:34:80:a5:a5:47:ef:f3:1a:92:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:orgpi5arch.yushei.net, DNS:hc4Jammy.yushei.net, DNS:hc4MnMin.yushei.net, DNS:n2Mnjaro.yushei.net, DNS:h2Jammy.yushei.net, DNS:h2Nnas01.yushei.net, DNS:*.yushei.net
            X509v3 Subject Key Identifier: 
                C8:84:EF:19:F5:20:39:ED:B8:97:54:56:72:7A:31:98:5A:99:37:A8
            X509v3 Authority Key Identifier: 
                DirName:/C=TW/ST=Taiwan/L=Taichung/O=YuShei Ltd.,/OU=Computer Department/CN=yushei.net/emailAddress=alexlai@munetaka.me
                serial:1A:45:D6:EB:29:35:5E:9B:B2:82:A3:84:DD:A3:80:4B:58:C3:EC:50
    Signature Algorithm: sha256WithRSAEncryption

*.srl file is commonly referred to as a "serial" file. It is a small text file used to keep track of serial numbers assigned to certificates when a Certificate Authority (CA) signs Certificate Signing Requests (CSRs) to issue SSL/TLS certificates.

¶Step 3. move keys into /opt/xfs/mongodb/x.509


# chown mongodb:mongodb /var/lib/mongodb/x.509/*

alexlai@orpi5Arch x.509]$ mongosh --tls --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/orgpi5arch.yushei.net.pem --tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt mongodb://orgpi5arch.yushei.net:27999
Current Mongosh Log ID: 64cb49f677d5cb648cac2f7c
Connecting to:          mongodb://orgpi5arch.yushei.net:27999/?directConnection=true&tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Forgpi5arch.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1
Using MongoDB:          7.0.0-rc8
Using Mongosh:          1.10.1

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

------
   The server generated these startup warnings when booting
   2023-08-03T14:16:24.568+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
------

test>

[alexlai@orpi5Arch x.509]$ mongosh "mongodb://orgpi5arch.yushei.net:27999/?tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/orgpi5arch.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt"
Current Mongosh Log ID: 64cb4b155ec5fe4490544969
Connecting to:          mongodb://orgpi5arch.yushei.net:27999/?tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Forgpi5arch.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&directConnection=true&appName=mongosh+1.10.1
Using MongoDB:          7.0.0-rc8
Using Mongosh:          1.10.1

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

------
   The server generated these startup warnings when booting
   2023-08-03T14:16:24.568+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
------

test>