0

this may be a really dumb question but I'm struggling to understand how this exactly works.

I'm working with MongoDB. I have 3 files: server.pem, client.pem and ca.pem. I need to use them to internally authenticate the members of a replica set.

All three of them are similar. The first question is: why do I need three of them? What is the purpose of each one?

I also have an assignment in which I have to say if each of these three must contain a certificate and a key in order to work. I don't want a direct answer to this, but I'd like to know if this is something related to the x.509 standard or to MongoDB itself and where to look for an answer.

I've been documenting here and on Google (mostly Wikipedia) but I didn't find this topic addressed anywhere.

Any help is appreciated.

Thank you

Aurasphere
  • 3,841
  • 12
  • 44
  • 71
  • 1
    server.pem is your server certificate | client.pem is your client certificate | ca.pem is your root or intermediate certificate used to sign these 2 certificates above. | => this is related to openssl, not to mongodb | About your question, it seems not related to x.509. Are you trying to just run a MongoDB ReplicaSet with authentication? – bappr May 15 '17 at 08:24
  • @bappr yes, that's exactly what I'm trying to do. Thank you for the explanation but I'm not really understanding the role of the root (CA) certificate here. Could you elaborate a bit more? – Aurasphere May 15 '17 at 08:28
  • OK. That's understandable because you don't need any certificate to configure authentication between nodes of a replicaset. Only use a key generated manually and provide this key to each of your nodes. https://docs.mongodb.com/v3.0/tutorial/enable-internal-authentication/ – bappr May 15 '17 at 08:32
  • Yeah, I've already read that (it's linked in the post actually). I know how to use internal authentication with key files but I need to do it with x.509 certs for this task. I would like to know if the pem files does have to contain also the keys along the certificate backed up with an official documentation link. – Aurasphere May 15 '17 at 08:34
  • OK understood! -_- Yes the pem files must have the keys. Please note that for a 3 Nodes ReplicaSet, you will need 3 server certs. you can find a good documentation here mongodb.com/blog/post/secure-mongodb-with-x-509-authenticati‌​on – bappr May 15 '17 at 09:29
  • 1
    @Aurasphere I'm going to post a full answer, but not until the assignment deadline has passed I'm afraid. I recognised your question from the MongoDB university course - I'm taking it too :)- – Vince Bowdren May 16 '17 at 15:35
  • @VinceBowdren yeah, if you look in the discussion on the MongoDB class you will find the same question there and I've got some suggestions from the moderator about this already. If you ask me, that question was a bit ambiguous compared to the others – Aurasphere May 16 '17 at 15:47

1 Answers1

2

The MongoDB tutorial on Using x.509 Certificates for Membership Authentication is an excellent guide to the requirements, but here's a guide which explains in the context of the certificates you've been given.

The certificates you need are:

  1. The certificate (not including the private key) of your certification authority (CA)
  2. For each node in your replica set, a private key
  3. For each node in your replica set, a certificate which:
    • is based on that private key
    • is issued by that same CA
    • identifies the server by name

Note that in a normal replica set where the nodes are running on different servers, each node will need its own certificate. In your assignment, you have been issued a single server certificate, to be used by every node; that will only work if every node is running on the same server.

That specific set of components are required for the following reasons:

  1. The CA's private key should only be known to the CA itself.
  2. When node A establishes communication with node B, it needs to verify node B's identity; it does so by node B showing its certificate (not including the private key) to node A.
  3. Node A uses the CA's certificate to verify node B's certificate (and thus identity)
  4. Similarly, Node B uses the CA's certificate to verify node A's certificate (and thus identity)
  5. For encrypted communication between nodes A and B, node A must encrypt its outgoing messages using its own private key; the most convenient place to keep this is alongside its certificate, in the pem file. This private key is not shared with any other agent.
  6. Similarly, node B's pem file includes node B's private key, for node B's own use only.

So in summary, each node needs to have:

  1. the CA's certificate
  2. the node's own private key
  3. the node's own certificate

Those map to the files you've been supplied with as follows:

  • ca.pem has the CA's certificate, and nothing else.
  • server.pem contains both the node's certificate and private key, for convenience.
  • client.pem is not needed at all; presumably that will be used later, when a client wants to connect to the running replica set.
Vince Bowdren
  • 8,326
  • 3
  • 31
  • 56
  • Thank you for the explanation, I've read the docs many time and yet not find anywhere this structure there nor in the videos. This should have been explained like this in the first place. BTW, I got that answer right. What made me figure out the right answer was the CA's private key that you shouldn't have. But your explanation made me understand everything way better. Thank you! – Aurasphere May 17 '17 at 06:42