Docs Menu
Docs Home
/
データベース マニュアル
/
自己管理型配置
/
セキュリティ
/
付録

付録 C - 自己管理型配置をテストするための OpenSSL クライアント証明書

警告

Disclaimer

This page is provided for testing purposes only and the certificates are for testing purposes only.

The following tutorial provides some basic steps for creating test X.509 certificates.

  • これらの証明書は本番環境では使用しないでください。 代わりに、セキュリティ ポリシーに従ってください。

  • OpenSSL の詳細については、 公式 OpenSSL Docsを参照してください。 このチュートリアルでは OpenSSL を使用していますが、このドキュメントを OpenSSL の権限のある参照として使用しないでください。

前提条件

The procedure outlined on this page uses the test intermediate authority certificate and key mongodb-test-ia.crt and mongodb-test-ia.key created in 付録 A - 自己管理型配置をテストするための OpenSSL CA 証明書.

手順

The following procedure outlines the steps to create test certificates for MongoDB clients. For steps to create test certificates for MongoDB servers, see 付録 B - 自己管理型配置をテストするための OpenSSL サーバー証明書.

A. OpenSSL 構成ファイルを作成する

  1. Create a test configuration file openssl-test-client.cnf for your client with the following content:

    # NOT FOR PRODUCTION USE. OpenSSL configuration file for testing.
    [ req ]
    default_bits = 4096
    default_keyfile = myTestClientCertificateKey.pem    ## The default private key file name.
    default_md = sha256
    distinguished_name = req_dn
    req_extensions = v3_req
    [ v3_req ]
    subjectKeyIdentifier  = hash
    basicConstraints = CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    nsComment = "OpenSSL Generated Certificate for TESTING only.  NOT FOR PRODUCTION USE."
    extendedKeyUsage  = serverAuth, clientAuth
    [ req_dn ]
    countryName = Country Name (2 letter code)
    countryName_default =
    countryName_min = 2
    countryName_max = 2
    stateOrProvinceName = State or Province Name (full name)
    stateOrProvinceName_default = TestClientCertificateState
    stateOrProvinceName_max = 64
    localityName = Locality Name (eg, city)
    localityName_default = TestClientCertificateLocality
    localityName_max = 64
    organizationName = Organization Name (eg, company)
    organizationName_default = TestClientCertificateOrg
    organizationName_max = 64
    organizationalUnitName = Organizational Unit Name (eg, section)
    organizationalUnitName_default = TestClientCertificateOrgUnit
    organizationalUnitName_max = 64
    commonName = Common Name (eg, YOUR name)
    commonName_max = 64

  2. 任意. You can update the default Distinguished Name (DN) values. Ensure that client certificates differ from server certificates with regards to at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC).

B. Generate the Test PEM File for Client

  1. テストキー ファイルmongodb-test-client.keyを作成します。

    openssl genrsa -out mongodb-test-client.key 4096

  2. Create the test certificate signing request mongodb-test-client.csr. When asked for Distinguished Name values, enter the appropriate values for your test certificate:

    重要

    The client certificate subject must differ to a server certificate subject with regards to at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC).

    openssl req -new -key mongodb-test-client.key -out mongodb-test-client.csr -config openssl-test-client.cnf

  3. Create the test client certificate mongodb-test-client.crt.

    openssl x509 -sha256 -req -days 365 -in mongodb-test-client.csr -CA mongodb-test-ia.crt -CAkey mongodb-test-ia.key -CAcreateserial -out mongodb-test-client.crt -extfile openssl-test-client.cnf -extensions v3_req

  4. Create the test PEM file for the client.

    cat mongodb-test-client.crt mongodb-test-client.key > test-client.pem

    You can use the test PEM file to configure mongosh for TLS/SSL testing. For example, to connect to a mongod or a mongos:

    Include the following options for the client:

    mongosh --tls --host <serverHost> --tlsCertificateKeyFile test-client.pem  --tlsCAFile test-ca.pem
    macOS の場合、

    If you are testing with Keychain Access to manage certificates, create a PKCS 12 file to add to Keychain Access instead of a PEM file:

    openssl pkcs12 -export -out test-client.pfx -inkey mongodb-test-client.key -in mongodb-test-client.crt -certfile mongodb-test-ia.crt

    Once added to Keychain Access, instead of specifying the Certificate Key file, you can use the --tlsCertificateSelector to specify the certificate to use. If the CA file is also in Keychain Access, you can omit --tlsCAFile as well as in the following example:

    mongosh --tls --tlsCertificateSelector subject="<TestClientCertificateCommonName>"

    For adding certificates to Keychain Access, refer to your official documentation for Keychain Access.

以下も参照してください。

戻る

OpenSSL Server

次へ

テキスト検索