§2023-07-29

[alexlai@orpi5Arch ~]$ mkdir x.509 && cd $_
[alexlai@orpi5Arch x.509]$ pwd
/opt/xfs/home/alexlai/x.509

¶ Step 0, openssl.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = TW
ST = Taiwan
L = Taichung
O = YuShei Ltd.,
OU = Computer Department
CN = yushei.net
emailAddress = alexlai@munetaka.me

# the followings are the same
# countryName = Country Name (2 letter code)
# stateOrProvinceName = State or Province Name (full name)
# localityName = Locality Name (eg, city)
# organizationName = Organization Name (eg, company)
# organizationalUnitName        = Organizational Unit Name (eg, section)
# commonName = Common Name (e.g., your domain or server name)
# emailAddresss = Email Address (e.g., yourname@example.com)

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = orgpi5arch.yushei.net
DNS.2 = hc4Jammy.yushei.net
DNS.3 = hc4MnMin.yushei.net
DNS.4 = n2Mnjaro.yushei.net
DNS.5 = h2Jammy.yushei.net
DNS.6 = h2Nnas01.yushei.net

¶Step 1. Generating the X.509 Certificates

An X.509 certificate needs to be generated for each of our nodes. You will act as the CA so we will sign them ourselves. To do this we firstly create a private key, issue a CA certificate and thereafter issue 3 more certificates for each MongoDB node.

1.1 Generate a private Key

$ mkdir x.509 && cd $_
[alexlai@x8664Arch x.509]$ openssl genrsa -out mongoCA.key -aes256 8192  <-- This take a while
 
Enter PEM pass phrase:   (TxxxxYxxLxx#1nnn)
Verifying - Enter PEM pass phrase:
$ ls -l
total 8
-rw------- 1 alexlai alexlai 6554  7月 29 09:53 mongoCA.key

1.2 Generate a self-signed X.509 certificate with the provided RSA private key ("mongoCA.key"). This certificate will be valid for 365 +30 days, and it is intended to be used as a Certificate Authority (CA) certificate.

]$ openssl req -x509 -new  -key mongoCA.key -days 365 -out mongoCA.crt -config openssl.cnf 
Enter pass phrase for mongoCA.key:

openssl x509 -noout -text -in mongoCA.crt to see

$  openssl req -x509 -new -extensions v3_ca -key mongoCA.key -days 395 -out mongoCA.crt ?? not working
Enter pass phrase for mongoCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichnug
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YuShei Ltd.,
Organizational Unit Name (eg, section) []:Computer Department
Common Name (e.g. server FQDN or YOUR name) []:orgpi5Arch.yushei.net
Email Address []:alexlai@munetaka.me
[alexlai@orpi5Arch x.509]$ ls -l
total 12
-rw-r--r-- 1 alexlai alexlai 3601  7月 29 10:04 mongoCA.crt
-rw------- 1 alexlai alexlai 6554  7月 29 09:53 mongoCA.key

&paral;Step 2, Using genCertificate.sh

#!/bin/bash

if [ "$1" = "" ]; then
  echo 'hostname is fully qualified name, i.e. orgPi5Arch.yushei.net'
  echo 'Please enter your hostname (CN):'
  exit 1
fi

HOST_NAME="$1"
SUBJECT="/C=Tw/ST=Taiwan/L=Taichung/O=yushei.net/OU=ComputerDepartment/CN=$HOST_NAME"

# Generate the CSR with the SAN extension
openssl req -new -nodes -newkey rsa:4096 -subj "$SUBJECT" -keyout "$HOST_NAME.key" -out "$HOST_NAME.csr" -config openssl.cnf

# Sign the certificate with the SAN extension
openssl x509 -CA mongoCA.crt -CAkey mongoCA.key -CAcreateserial -req -days 395 -in "$HOST_NAME.csr" -out "$HOST_NAME.crt" -extensions v3_req -extfile openssl.cnf

# Concatenate the key and certificate into a PEM file
cat "$HOST_NAME.key" "$HOST_NAME.crt" > "$HOST_NAME.pem"

# Clean up temporary files
# rm "$HOST_NAME.key" "$HOST_NAME.crt" "$HOST_NAME.csr"

2.1 issue a certificate for orgpi5Arch.yushei.net

$[alexlai@orpi5Arch x.509]$ ./genCertificate.sh orgpi5arch.yushei.net
-----
Certificate request self-signature ok
subject=C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = orgpi5arch.yushei.net
Enter pass phrase for mongoCA.key:

[alexlai@orpi5Arch x.509]$ ls -l
total 32
-rwxr-xr-x 1 alexlai alexlai 1051  7月 29 10:19 genCertificate.sh
-rw-r--r-- 1 alexlai alexlai 3601  7月 29 10:04 mongoCA.crt
-rw------- 1 alexlai alexlai 6554  7月 29 09:53 mongoCA.key
-rw-r--r-- 1 alexlai alexlai   41  7月 29 10:23 mongoCA.srl
-rw-r--r-- 1 alexlai alexlai 6008  7月 29 10:24 orgpi5Arch.yushei.net.pem

*.srl file is commonly referred to as a "serial" file. It is a small text file used to keep track of serial numbers assigned to certificates when a Certificate Authority (CA) signs Certificate Signing Requests (CSRs) to issue SSL/TLS certificates.

¶Step 3. move keys into /var/lib/mongodb/x.509

$ grep mongodb /etc/passwd
mongodb:x:960:960::/var/lib/mongodb:/usr/bin/nologin
$ sudo mkdir /var/lib/mongodb/x.509
$ sudo chown mongodb:mongodb /var/lib/mongodb/x.509
$ sudo cp -v orgpi5Arch.yushei.net.pem /var/lib/mongodb/x.509/
$ sudo cp -v mongoCA.crt /var/lib/mongodb/x.509/
$ su  <-- has to use root
# chown mongodb:mongodb /var/lib/mongodb/x.509/*
  1. Creating orgpi5Jammy.yushei.net X.509 Certificate
/opt/xfs/home/alexlai/x.509
[alexlai@orpi5Arch x.509]$ ls
genCertificate.sh  mongoCA.crt  mongoCA.key  mongoCA.srl  orgpi5Arch.yushei.net.pem
[alexlai@orpi5Arch x.509]$ ./genCertificate.sh orgpi5Jammy.yushei.net
-----
Certificate request self-signature ok
subject=C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = orgpi5Jammy.yushei.net
Enter pass phrase for mongoCA.key:

[alexlai@orpi5Arch x.509]$ ls -l
total 36
-rwxr-xr-x 1 alexlai alexlai 1051  7月 29 10:19 genCertificate.sh
-rw-r--r-- 1 alexlai alexlai 3601  7月 29 10:04 mongoCA.crt
-rw------- 1 alexlai alexlai 6554  7月 29 09:53 mongoCA.key
-rw-r--r-- 1 alexlai alexlai   41  7月 29 14:49 mongoCA.srl
-rw-r--r-- 1 alexlai alexlai 6008  7月 29 10:48 orgpi5Arch.yushei.net.pem
-rw-r--r-- 1 alexlai alexlai 6004  7月 29 14:49 orgpi5Jammy.yushei.net.pem
[alexlai@orpi5Arch x.509]$ tail mongoCA.srl 
50AF6DE4D73846720EFEC30CB806380398AA0094

¶Step 4; Setup X.509 for orgpi5Jammy.yushei.net

alexlai@orgpiJammy:~$ grep mongodb /etc/passwd
mongodb:x:966:966::/var/lib/mongodb:/usr/bin/nologin

alexlai@orgpiJammy:~/x.509$ pwd
/opt/xfs/home/alexlai/x.509
alexlai@orgpiJammy:~/x.509$ scp orgpi5Arch.yushei.net://opt/xfs/home/alexlai/x.509/orgpi5Jammy.yushei.net.pem ./
alexlai@orgpi5arch.yushei.net's password: 
orgpi5Jammy.yushei.net.pem                                              100% 6004   752.7KB/s   00:00    
alexlai@orgpiJammy:~/x.509$ scp orgpi5Arch.yushei.net://opt/xfs/home/alexlai/x.509/mongoCA.crt  ./
alexlai@orgpi5arch.yushei.net's password: 
mongoCA.crt   

$ su
# mkdir /var/lib/mongodb/x.509
# cp -v * /var/lib/mongodb/x.509/
'mongoCA.crt' -> '/var/lib/mongodb/x.509/mongoCA.crt'
'orgpi5Jammy.yushei.net.pem' -> '/var/lib/mongodb/x.509/orgpi5Jammy.yushei.net.pem'
# chown mongodb:mongodb /var/lib/mongodb/x.509/*
# ls -l /var/lib/mongodb/x.509/*
-rw-r--r-- 1 mongodb mongodb 3601 Jul 29 15:00 /var/lib/mongodb/x.509/mongoCA.crt
-rw-r--r-- 1 mongodb mongodb 6004 Jul 29 15:00 /var/lib/mongodb/x.509/orgpi5Jammy.yushei.net.pem


5. Creating orgpi5Jammy.yushei.net X.509 Certificate

```bash
[alexlai@orpi5Arch x.509]$ ls
genCertificate.sh  mongoCA.crt  mongoCA.key  mongoCA.srl  orgpi5Arch.yushei.net.pem  orgpi5Jammy.yushei.net.pem
[alexlai@orpi5Arch x.509]$ ./genCertificate.sh hc4Jammy.yushei.net
-----
Certificate request self-signature ok
subject=C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = hc4Jammy.yushei.net
Enter pass phrase for mongoCA.key:
[alexlai@orpi5Arch x.509]$ ls
genCertificate.sh  hc4Jammy.yushei.net.pem  mongoCA.crt  mongoCA.key  mongoCA.srl  orgpi5Arch.yushei.net.pem  orgpi5Jammy.yushei.net.pem

alexlai@orpi5Arch x.509]$ mongosh --tls --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/orgpi5arch.yushei.net.pem --tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt mongodb://orgpi5arch.yushei.net:27999
Current Mongosh Log ID: 64cb49f677d5cb648cac2f7c
Connecting to:          mongodb://orgpi5arch.yushei.net:27999/?directConnection=true&tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Forgpi5arch.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1
Using MongoDB:          7.0.0-rc8
Using Mongosh:          1.10.1

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

------
   The server generated these startup warnings when booting
   2023-08-03T14:16:24.568+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
------

test> 

[alexlai@orpi5Arch x.509]$ mongosh "mongodb://orgpi5arch.yushei.net:27999/?tls=true&tlsCertificateKeyFile=/opt/xfs/mongodb/x.509/orgpi5arch.yushei.net.pem&tlsCAFile=/opt/xfs/mongodb/x.509/mongoCA.crt"
Current Mongosh Log ID: 64cb4b155ec5fe4490544969
Connecting to:          mongodb://orgpi5arch.yushei.net:27999/?tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Forgpi5arch.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&directConnection=true&appName=mongosh+1.10.1
Using MongoDB:          7.0.0-rc8
Using Mongosh:          1.10.1

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

------
   The server generated these startup warnings when booting
   2023-08-03T14:16:24.568+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
------

test>