Appendix A - OpenSSL CA Certificate for Testing

Disclaimer

This page is provided for testing purposes only and thecertificates are for testing purposes only.

The following tutorial provides some guidelines for creatingtest x.509 certificates:

  • Do not use these certificates for production. Instead, follow yoursecurity policies.
  • For information on OpenSSL, refer to the official OpenSSL docs.Although this tutorial uses OpenSSL, the material should not betaken as an authoritative reference on OpenSSL.

Procedures

The following procedures outlines the steps to create a test CA PEMfile. The procedure creates both the CA PEM file and an intermediateauthority certificate and key files to sign server/client testcertificates.

A. Create the OpenSSL Configuration File

  • Create a configuration file openssl-test-ca.cnf with thefollowing content:
  1. # NOT FOR PRODUCTION USE. OpenSSL configuration file for testing.
  2.  
  3. # For the CA policy
  4. [ policy_match ]
  5. countryName = match
  6. stateOrProvinceName = match
  7. organizationName = match
  8. organizationalUnitName = optional
  9. commonName = supplied
  10. emailAddress = optional
  11.  
  12. [ req ]
  13. default_bits = 4096
  14. default_keyfile = myTestCertificateKey.pem    ## The default private key file name.
  15. default_md = sha256                           ## Use SHA-256 for Signatures
  16. distinguished_name = req_dn
  17. req_extensions = v3_req
  18. x509_extensions = v3_ca # The extentions to add to the self signed cert
  19.  
  20. [ v3_req ]
  21. subjectKeyIdentifier  = hash
  22. basicConstraints = CA:FALSE
  23. keyUsage = critical, digitalSignature, keyEncipherment
  24. nsComment = "OpenSSL Generated Certificate for TESTING only.  NOT FOR PRODUCTION USE."
  25. extendedKeyUsage  = serverAuth, clientAuth
  26.  
  27. [ req_dn ]
  28. countryName = Country Name (2 letter code)
  29. countryName_default =
  30. countryName_min = 2
  31. countryName_max = 2
  32.  
  33. stateOrProvinceName = State or Province Name (full name)
  34. stateOrProvinceName_default = TestCertificateStateName
  35. stateOrProvinceName_max = 64
  36.  
  37. localityName = Locality Name (eg, city)
  38. localityName_default = TestCertificateLocalityName
  39. localityName_max = 64
  40.  
  41. organizationName = Organization Name (eg, company)
  42. organizationName_default = TestCertificateOrgName
  43. organizationName_max = 64
  44.  
  45. organizationalUnitName = Organizational Unit Name (eg, section)
  46. organizationalUnitName_default = TestCertificateOrgUnitName
  47. organizationalUnitName_max = 64
  48.  
  49. commonName = Common Name (eg, YOUR name)
  50. commonName_max = 64
  51.  
  52. [ v3_ca ]
  53. # Extensions for a typical CA
  54.  
  55. subjectKeyIdentifier=hash
  56. basicConstraints = critical,CA:true
  57. authorityKeyIdentifier=keyid:always,issuer:always
  • Optional. You can update the default Distinguished Name (DN)values.

B. Generate the Test CA PEM File

  • Create the test CA key file mongodb-test-ca.key.
  1. openssl genrsa -out mongodb-test-ca.key 4096

Tip

This private key is used to generate valid certificates for theCA. Although this private key, like all files in this appendix,is intended for testing purposes only, you should engage in goodsecurity practices and secure this key file.

  • Create the CA certificate mongod-test-ca.crt using thegenerated key file. When asked for Distinguished Name values, enterthe appropriate values for your test CA certificate.
  1. openssl req -new -x509 -days 1826 -key mongodb-test-ca.key -out mongodb-test-ca.crt -config openssl-test-ca.cnf
  • Create the private key for the intermediate certificate.
  1. openssl genrsa -out mongodb-test-ia.key 4096

Tip

This private key is used to generate valid certificates for theintermediate authority. Although this private key, like all filesin this appendix, is intended for testing purposes only, youshould engage in good security practices and secure this key file.

  • Create the certificate signing request for the intermediatecertificate. When asked for Distinguished Name values, enter theappropriate values for your test Intermediate Authority certificate.
  1. openssl req -new -key mongodb-test-ia.key -out mongodb-test-ia.csr -config openssl-test-ca.cnf
  • Create the intermediate certificate mongodb-test-ia.crt.
  1. openssl x509 -sha256 -req -days 730 -in mongodb-test-ia.csr -CA mongodb-test-ca.crt -CAkey mongodb-test-ca.key -set_serial 01 -out mongodb-test-ia.crt -extfile openssl-test-ca.cnf -extensions v3_ca
  • Create the test CA PEM file from the test CA certificate mongod-test-ca.crt andtest intermediate certificate mongodb-test-ia.crt.
  1. cat mongodb-test-ca.crt mongodb-test-ia.crt  > test-ca.pem

You can use the test PEM file when configuring mongod,mongos, or mongo for TLS/SSL testing.

You can use the test intermediate authority to sign the testcertificates for both the server(s) and client(s). A single authoritymust issue the certificates for both the client and the server.

See also