MongoDB SSL自签证书生成、应用和连接

最新推荐文章于 2024-06-03 19:47:07 发布

seek_dreamer

最新推荐文章于 2024-06-03 19:47:07 发布

阅读量1.9k

点赞数 1

分类专栏： mongo

本文链接：https://blog.csdn.net/muruibin88/article/details/107375493

版权

mongo 专栏收录该内容

2 篇文章 0 订阅

订阅专栏

参考博客

代码连接参考

环境版本

MongoDB server version: 4.0.11

生成SSL配置

１服务器端证书配置

1.1 生成ca.pem

openssl req -out ca.pem -new -x509 -days 3650
# 此处会要求配置ca.pem密码，后续将会用到

1.2生成server.pem

# 生成服务器端私钥
$ openssl genrsa -out server.key 2048
# 生成服务器端申请文件
$ openssl req -key server.key -new -out server.req
# 生成服务器端证书
$ openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650
# 合并服务器端私钥和服务器端证书，生成server.pem
$ cat server.key server.crt > server.pem
# 校验服务器端pem文件
$ openssl verify -CAfile ca.pem server.pem
server.pem: OK

2 生成client.pem

# 生成客户端私钥
$ openssl genrsa -out client.key 2048
# 生成客户端申请文件
$ openssl req -key client.key -new -out client.req
# 生成客户端证书
$ openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial ca.srl  -out client.crt -days 3650
# 合并客户端私钥和客户端证书，生成client.pem
$ cat client.key client.crt > client.pem
# 校验客户端pem文件
$ openssl verify -CAfile ca.pem client.pem
client.pem: OK

docker-compose启动mongo docker

1 mongodb.conf 配置

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
#storage:
#  dbPath: /var/lib/mongodb
#  journal:
#    enabled: true
#  engine:
#  mmapv1:
#  wiredTiger:

# where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

# network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0
  ssl:
    mode: requireSSL
    PEMKeyFile: /data/configssl/server.pem
    CAFile: /data/configssl/ca.pem
    allowInvalidHostnames: true
    allowInvalidCertificates: true

# how the process runs
#processManagement:
#  timeZoneInfo: /usr/share/zoneinfo

#security:

#operationProfiling:

#replication:

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

２docker-compose.yaml文件配置

version: '2.1'
services:
    mongo_ssl:
      image: docker-reg.xxx.com/library/mongo:latest
      container_name: mongo_ssl
      ports:
        - "27020:27017"
      environment:
        TZ: Asia/Shanghai
      volumes:
        - /opt/infrastructure/volumes/mongo_ssl/db:/data/db
        - /opt/infrastructure/volumes/mongo_ssl/configssl:/data/configssl
      entrypoint:
        - bash
        - -c
        - /usr/bin/mongod --quiet --config /data/configssl/mongod.conf
      restart: always
      logging:
        options:
          max-size: "5M"
          max-file: "10"
        driver: json-file

3 启动mongo

docker-compose -f docker-compose-mongo-ssl.yaml up -d

4 客户端连接（robo3t）

注意：server和client的common name一致，但是不同于生成ca.pem的,且格式类似于xx.net 或者xx.com

以下是生成过程的日志，请参考

$ openssl req -out ca.pem -new -x509 -days 3650
Generating a 2048 bit RSA private key
.................+++
............................................................................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JiangSu
Locality Name (eg, city) []:SuZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mrb
Organizational Unit Name (eg, section) []:mrb
Common Name (e.g. server FQDN or YOUR name) []:mrb.com
Email Address []:
$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
.........................................................................................................................................+++
e is 65537 (0x10001)
$ openssl req -key server.key -new -out server.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JiangSu
Locality Name (eg, city) []:SuZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mrb
Organizational Unit Name (eg, section) []:mrb 
Common Name (e.g. server FQDN or YOUR name) []:mrb1.com
Email Address []:mrb@eco.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234567
An optional company name []:mrb
$ 
$ openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650
Signature ok
subject=/C=CN/ST=JiangSu/L=SuZhou/O=mrb/OU=mrb/CN=mrb1/emailAddress=mrb@eco.com
Getting CA Private Key
Enter pass phrase for privkey.pem:
$ cat server.key server.crt > server.pem
$ openssl verify -CAfile ca.pem server.pem
server.pem: OK
$ 
$ 
$ openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
......................................................................................+++
.........................................................+++
e is 65537 (0x10001)
$ openssl req -key client.key -new -out client.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JiangSu
Locality Name (eg, city) []:SuZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mrb
Organizational Unit Name (eg, section) []:mrb
Common Name (e.g. server FQDN or YOUR name) []:mrb1.com
Email Address []:mrb@eco.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234567
An optional company name []:mrb
$ openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial ca.srl  -out client.crt -days 3650
Signature ok
subject=/C=CN/ST=JiangSu/L=SuZhou/O=mrb/OU=mrb/CN=mrb1/emailAddress=mrb@eco.com
Getting CA Private Key
Enter pass phrase for privkey.pem:
$ cat client.key client.crt > client.pem
$ openssl verify -CAfile ca.pem client.pem
client.pem: OK

seek_dreamer

关注

1
点赞
踩
3

收藏

觉得还不错? 一键收藏
1
评论
MongoDB SSL自签证书生成、应用和连接

参考博客代码连接参考环境版本MongoDB server version: 4.0.11生成SSL配置１服务器端证书配置 1.1生成ca.pemopenssl req -out ca.pem -new -x509 -days 3650# 此处会要求配置ca.pem密码，后续将会用到 1.2生成server.pem# 生成服务器端私钥$ openssl genrsa -out server.key 2048# 生成服务器端申请文件$ openssl ...
复制链接

扫一扫