mirror of
https://github.com/bigchaindb/bigchaindb.git
synced 2024-10-13 13:34:05 +00:00
b56f8a6213
-- Fixed typos in the guide -- Fixed some syntax errors in commandline instructions -- Fixed strucuture of sample jsons -- Fixed bugs in nginx-https-dep file, it was trying to access an invalid variable in the configmap. -- Improved some docs to give more clarity for the user. Atleast all the issues I faced. :)
88 lines
3.0 KiB
ReStructuredText
88 lines
3.0 KiB
ReStructuredText
How to Generate a Client Certificate for MongoDB
|
|
================================================
|
|
|
|
This page enumerates the steps *we* use to generate a client certificate to be
|
|
used by clients who want to connect to a TLS-secured MongoDB cluster.
|
|
We use Easy-RSA.
|
|
|
|
|
|
Step 1: Install and Configure Easy-RSA
|
|
--------------------------------------
|
|
|
|
First create a directory for the client certificate and cd into it:
|
|
|
|
.. code:: bash
|
|
|
|
mkdir client-cert
|
|
|
|
cd client-cert
|
|
|
|
Then :ref:`install and configure Easy-RSA in that directory <How to Install & Configure Easy-RSA>`.
|
|
|
|
|
|
Step 2: Create the Client Private Key and CSR
|
|
---------------------------------------------
|
|
|
|
You can create the client private key and certificate signing request (CSR)
|
|
by going into the directory ``client-cert/easy-rsa-3.0.1/easyrsa3``
|
|
and using:
|
|
|
|
.. code:: bash
|
|
|
|
./easyrsa init-pki
|
|
|
|
./easyrsa gen-req bdb-instance-0 nopass
|
|
|
|
You should change the Common Name (e.g. ``bdb-instance-0``)
|
|
to a value that reflects what the
|
|
client certificate is being used for, e.g. ``mdb-mon-instance-3`` or ``mdb-bak-instance-4``. (The final integer is specific to your BigchainDB node in the BigchainDB cluster.)
|
|
|
|
You will be prompted to enter the Distinguished Name (DN) information for this certificate. For each field, you can accept the default value [in brackets] by pressing Enter.
|
|
|
|
.. warning::
|
|
|
|
Don't accept the default value of OU (``IT``). Instead, enter the value
|
|
``BigchainDB-Instance``, ``MongoDB-Mon-Instance`` or ``MongoDB-Backup-Instance``
|
|
as appropriate.
|
|
|
|
Aside: The ``nopass`` option means "do not encrypt the private key (default is encrypted)". You can get help with the ``easyrsa`` command (and its subcommands)
|
|
by using the subcommand ``./easyrsa help``.
|
|
|
|
|
|
Step 3: Get the Client Certificate Signed
|
|
-----------------------------------------
|
|
|
|
The CSR file created in the previous step
|
|
should be located in ``pki/reqs/bdb-instance-0.req``
|
|
(or whatever Common Name you used in the ``gen-req`` command above).
|
|
You need to send it to the organization managing the cluster
|
|
so that they can use their CA
|
|
to sign the request.
|
|
(The managing organization should already have a self-signed CA.)
|
|
|
|
If you are the admin of the managing organization's self-signed CA,
|
|
then you can import the CSR and use Easy-RSA to sign it.
|
|
Go to your ``bdb-cluster-ca/easy-rsa-3.0.1/easyrsa3/``
|
|
directory and do something like:
|
|
|
|
.. code:: bash
|
|
|
|
./easyrsa import-req /path/to/bdb-instance-0.req bdb-instance-0
|
|
|
|
./easyrsa sign-req client bdb-instance-0
|
|
|
|
Once you have signed it, you can send the signed certificate
|
|
and the CA certificate back to the requestor.
|
|
The files are ``pki/issued/bdb-instance-0.crt`` and ``pki/ca.crt``.
|
|
|
|
|
|
Step 4: Generate the Consolidated Client PEM File
|
|
-------------------------------------------------
|
|
|
|
MongoDB requires a single, consolidated file containing both the public and
|
|
private keys.
|
|
|
|
.. code:: bash
|
|
|
|
cat /path/to/bdb-instance-0.crt /path/to/bdb-instance-0.key > bdb-instance-0.pem
|