Docs Menu
Docs Home
/
데이터베이스 매뉴얼
/
자체 관리 배포서버
/
보안
/
부록

부록 A - 자체 관리형 배포서버 테스트를 위한 OpenSSL CA 인증서

경고

면책 조항

이 페이지는 테스트 목적으로 만 제공되며 인증서는 테스트 목적으로만 사용됩니다.

The following tutorial provides some guidelines for creating test X.509 certificates:

  • 이 인증서를 프로덕션용으로 사용하지 마세요. 대신 보안 정책을 따르세요.

  • OpenSSL에 대한 자세한 내용은 공식 OpenSSL Docs를 참조하세요. 이 튜토리얼에서는 OpenSSL을 사용하지만, 이 자료를 OpenSSL에 대한 신뢰할 수 있는 참고 자료로 간주해서는 안 됩니다.

절차

The following procedures outlines the steps to create a test CA PEM file. The procedure creates both the CA PEM file and an intermediate authority certificate and key files to sign server/client test certificates.

A. OpenSSL 구성 파일 생성

  1. Create a configuration file openssl-test-ca.cnf with the following content:

    # NOT FOR PRODUCTION USE. OpenSSL configuration file for testing.
    # For the CA policy
    [ policy_match ]
    countryName = match
    stateOrProvinceName = match
    organizationName = match
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional
    [ req ]
    default_bits = 4096
    default_keyfile = myTestCertificateKey.pem    ## The default private key file name.
    default_md = sha256                           ## Use SHA-256 for Signatures
    distinguished_name = req_dn
    req_extensions = v3_req
    x509_extensions = v3_ca # The extensions to add to the self signed cert
    [ v3_req ]
    subjectKeyIdentifier  = hash
    basicConstraints = CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    nsComment = "OpenSSL Generated Certificate for TESTING only.  NOT FOR PRODUCTION USE."
    extendedKeyUsage  = serverAuth, clientAuth
    [ req_dn ]
    countryName = Country Name (2 letter code)
    countryName_default =
    countryName_min = 2
    countryName_max = 2
    stateOrProvinceName = State or Province Name (full name)
    stateOrProvinceName_default = TestCertificateStateName
    stateOrProvinceName_max = 64
    localityName = Locality Name (eg, city)
    localityName_default = TestCertificateLocalityName
    localityName_max = 64
    organizationName = Organization Name (eg, company)
    organizationName_default = TestCertificateOrgName
    organizationName_max = 64
    organizationalUnitName = Organizational Unit Name (eg, section)
    organizationalUnitName_default = TestCertificateOrgUnitName
    organizationalUnitName_max = 64
    commonName = Common Name (eg, YOUR name)
    commonName_max = 64
    [ v3_ca ]
    # Extensions for a typical CA
    subjectKeyIdentifier=hash
    basicConstraints = critical,CA:true
    authorityKeyIdentifier=keyid:always,issuer:always

  2. 선택 사항입니다. 기본 DN(고유 이름) 값을 업데이트할 수 있습니다.

B. Generate the Test CA PEM File

  1. Create the test CA key file mongodb-test-ca.key.

    openssl genrsa -out mongodb-test-ca.key 4096

    This private key is used to generate valid certificates for the CA. Although this private key, like all files in this appendix, is intended for testing purposes only, you should engage in good security practices and secure this key file.

  2. Create the CA certificate mongod-test-ca.crt using the generated key file. When asked for Distinguished Name values, enter the appropriate values for your test CA certificate.

    openssl req -new -x509 -days 1826 -key mongodb-test-ca.key -out mongodb-test-ca.crt -config openssl-test-ca.cnf

  3. Create the private key for the intermediate certificate.

    openssl genrsa -out mongodb-test-ia.key 4096

    This private key is used to generate valid certificates for the intermediate authority. Although this private key, like all files in this appendix, is intended for testing purposes only, you should engage in good security practices and secure this key file.

  4. Create the certificate signing request for the intermediate certificate. When asked for Distinguished Name values, enter the appropriate values for your test Intermediate Authority certificate.

    openssl req -new -key mongodb-test-ia.key -out mongodb-test-ia.csr -config openssl-test-ca.cnf

  5. Create the intermediate certificate mongodb-test-ia.crt.

    openssl x509 -sha256 -req -days 730 -in mongodb-test-ia.csr -CA mongodb-test-ca.crt -CAkey mongodb-test-ca.key -set_serial 01 -out mongodb-test-ia.crt -extfile openssl-test-ca.cnf -extensions v3_ca

  6. Create the test CA PEM file from the test CA certificate mongod-test-ca.crt and test intermediate certificate mongodb-test-ia.crt.

    cat mongodb-test-ia.crt mongodb-test-ca.crt > test-ca.pem

You can use the test PEM file when configuring mongod, mongos, or mongosh for TLS/SSL testing.

You can use the test intermediate authority to sign the test certificates for both the server(s) and client(s). A single authority must issue the certificates for both the client and the server.

다음도 참조하세요.

돌아가기

부록

다음

OpenSSL 서버