mongodb
diff --git a/‎source/appendix/security.txt
Lines changed: 13 additions & 0 deletions b/‎source/appendix/security.txt
Lines changed: 13 additions & 0 deletions
diff --git a/‎source/appendix/security/appendixA-openssl-ca.txt
Lines changed: 170 additions & 0 deletions b/‎source/appendix/security/appendixA-openssl-ca.txt
Lines changed: 170 additions & 0 deletions
diff --git a/‎source/appendix/security/appendixB-openssl-server.txt
Lines changed: 191 additions & 0 deletions b/‎source/appendix/security/appendixB-openssl-server.txt
Lines changed: 191 additions & 0 deletions
@@ -0,0 +1,13 @@
+========
+Appendix
+========
+
+.. default-domain:: mongodb
+
+
+.. toctree::
+   :titlesonly:
+
+   /appendix/security/appendixA-openssl-ca
+   /appendix/security/appendixB-openssl-server
+   /appendix/security/appendixC-openssl-client
@@ -0,0 +1,170 @@
+.. _appendix-ca-certificate:
+
+===============================================
+Appendix A - OpenSSL CA Certificate for Testing
+===============================================
+
+.. default-domain:: mongodb
+
+.. admonition:: Testing Purposes Only
+   :class: warning
+
+   The following tutorial provides some guidelines for creating 
+   test x.509 certificates:
+
+   - Do not use these certificates for production. Instead, follow your
+     security policies.
+
+   - For information on OpenSSL, refer to the official OpenSSL docs.
+     Although this tutorial uses OpenSSL, the material should not be
+     taken as an authoritative reference on OpenSSL.
+
+Procedures
+----------
+
+The following procedures outlines the steps to create a test CA PEM
+file. The procedure creates both the CA PEM file and an intermediate
+authority certificate and key files to sign server/client test
+certificates.
+
+A. Create the OpenSSL Configuration File
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#. Create a configuration file ``openssl-test-ca.cnf`` with the
+   following content:
+
+   .. code-block:: cfg
+      :emphasize-lines: 29,34,38,42,46
+
+      # NOT FOR PRODUCTION USE. OpenSSL configuration file for testing. 
+      
+      # For the CA policy
+      [ policy_match ]
+      countryName = match
+      stateOrProvinceName = match
+      organizationName = match
+      organizationalUnitName = optional
+      commonName = supplied
+      emailAddress = optional
+
+      [ req ]
+      default_bits = 4096
+      default_keyfile = myTestCertificateKey.pem    ## The default private key file name. 
+      default_md = sha256                           ## Use SHA-256 for Signatures
+      distinguished_name = req_dn
+      req_extensions = v3_req
+      x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+      [ v3_req ]
+      subjectKeyIdentifier  = hash
+      basicConstraints = CA:FALSE
+      keyUsage = critical, digitalSignature, keyEncipherment
+      nsComment = "OpenSSL Generated Certificate for TESTING only.  NOT FOR PRODUCTION USE."
+      extendedKeyUsage  = serverAuth, clientAuth
+
+      [ req_dn ]
+      countryName = Country Name (2 letter code)
+      countryName_default = 
+      countryName_min = 2
+      countryName_max = 2
+
+      stateOrProvinceName = State or Province Name (full name)
+      stateOrProvinceName_default = TestCertificateStateName 
+      stateOrProvinceName_max = 64
+
+      localityName = Locality Name (eg, city)
+      localityName_default = TestCertificateLocalityName
+      localityName_max = 64
+
+      organizationName = Organization Name (eg, company)
+      organizationName_default = TestCertificateOrgName
+      organizationName_max = 64
+
+      organizationalUnitName = Organizational Unit Name (eg, section)
+      organizationalUnitName_default = TestCertificateOrgUnitName 
+      organizationalUnitName_max = 64
+
+      commonName = Common Name (eg, YOUR name)
+      commonName_max = 64
+
+      [ v3_ca ]
+      # Extensions for a typical CA
+
+      subjectKeyIdentifier=hash
+      basicConstraints = critical,CA:true
+      authorityKeyIdentifier=keyid:always,issuer:always
+
+#. *Optional*. You can update the default Distinguished Name (DN)
+   values.
+
+B. Generate the Test CA PEM File
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#. Create the CA key file :file:`mongodb-test-ca.key`. 
+
+   .. code-block:: sh
+
+      openssl genrsa -out mongodb-test-ca.key 4096
+
+   .. tip::
+
+      This private key is used to generate valid certificates for the
+      CA. Although this private key, like all files in this appendix,
+      is intended for testing purposes only, you should engage in good
+      security practices and secure this key file.
+
+#. Create the CA certificate :file:`mongod-test-ca.crt` using the
+   generated key file. When asked for Distinguished Name values, enter
+   the appropriate values for your test CA certificate.
+
+   .. code-block:: sh
+
+      openssl req -new -x509 -days 1826 -key mongodb-test-ca.key -out mongodb-test-ca.crt -config openssl-test-ca.cnf
+
+#. Create the private key for the intermediate certificate.
+
+   .. code-block:: sh
+
+      openssl genrsa -out mongodb-test-ia.key 4096
+
+   .. tip::
+
+      This private key is used to generate valid certificates for the
+      intermediate authority. Although this private key, like all files
+      in this appendix, is intended for testing purposes only, you
+      should engage in good security practices and secure this key file.
+
+#. Create the certificate signing request for the intermediate
+   certificate. When asked for Distinguished Name values, enter the
+   appropriate values for your test Intermediate Authority certificate.
+
+   .. code-block:: sh
+
+      openssl req -new -key mongodb-test-ia.key -out mongodb-test-ia.csr -config openssl-test-ca.cnf
+
+#. Create the intermediate certificate :file:`mongodb-test-ia.crt`.
+
+   .. code-block:: sh
+
+      openssl x509 -sha256 -req -days 730 -in mongodb-test-ia.csr -CA mongodb-test-ca.crt -CAkey mongodb-test-ca.key -set_serial 01 -out mongodb-test-ia.crt -extfile openssl-test-ca.cnf -extensions v3_ca
+
+#. Create the test CA PEM file from the test CA certificate  :file:`mongod-test-ca.crt` and
+   test intermediate certificate :file:`mongodb-test-ia.crt`.
+
+   .. code-block:: sh
+
+      cat mongodb-test-ca.crt mongodb-test-ia.crt  > test-ca.pem
+
+You can use the test PEM file when configuring :binary:`~bin.mongod`,
+:binary:`~bin.mongod`, or :binary:`~bin.mongo` for TLS/SSL testing.
+
+You can use the test intermediate authority to sign the test
+certificates for both the server(s) and client(s). A single authority
+must issue the certificates for both the client and the server.
+
+      
+
+.. seealso::
+
+   - :ref:`appendix-server-certificate`
+   - :ref:`appendix-client-certificate`
@@ -0,0 +1,191 @@
+.. _appendix-server-certificate:
+
+====================================================
+Appendix B - OpenSSL Server Certificates for Testing
+====================================================
+
+.. default-domain:: mongodb
+
+.. admonition:: Testing Purposes Only
+   :class: warning
+
+   The following tutorial provides some basic steps for creating
+   test x.509 certificates:
+
+   - Do not use these certificates for production. Instead, follow your
+     security policies.
+
+   - For information on OpenSSL, refer to the official OpenSSL docs.
+     Although this tutorial uses OpenSSL, the material should not be
+     taken as an authoritative reference on OpenSSL.
+
+Prerequisite
+------------
+
+The procedure outlined on this page uses the intermediate authority
+certificate and key :file:`mongodb-test-ia.crt` and :file:`mongodb-test-ia.key`
+created in :doc:`/appendix/security/appendixA-openssl-ca` .
+
+Procedure
+---------
+
+The following procedure outlines the steps to create test certificates
+for MongoDB servers. For steps to create test certificates for MongoDB
+clients, see :doc:`/appendix/security/appendixC-openssl-client`.
+
+A. Create the OpenSSL Configuration File
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#. Create a test configuration file ``openssl-test-server.cnf`` for
+   your server with the following content:
+
+   .. code-block:: cfg
+      :emphasize-lines: 20-21,25,30,34,38,42
+
+      # NOT FOR PRODUCTION USE. OpenSSL configuration file for testing.
+
+      [ req ]
+      default_bits = 4096
+      default_keyfile = myTestServerCertificateKey.pem    ## The default private key file name.
+      default_md = sha256
+      distinguished_name = req_dn
+      req_extensions = v3_req
+
+      [ v3_req ]
+      subjectKeyIdentifier  = hash
+      basicConstraints = CA:FALSE
+      keyUsage = critical, digitalSignature, keyEncipherment
+      nsComment = "OpenSSL Generated Certificate for TESTING only.  NOT FOR PRODUCTION USE."
+      extendedKeyUsage  = serverAuth, clientAuth
+      subjectAltName = @alt_names
+
+      [ alt_names ]
+      DNS.1 =         ##TODO: Enter the DNS names. The DNS names should match the server names.
+      DNS.2 =         ##TODO: Enter the DNS names. The DNS names should match the server names.
+
+      [ req_dn ]
+      countryName = Country Name (2 letter code)
+      countryName_default =
+      countryName_min = 2
+      countryName_max = 2
+
+      stateOrProvinceName = State or Province Name (full name)
+      stateOrProvinceName_default = TestServerCertificateState
+      stateOrProvinceName_max = 64
+
+      localityName = Locality Name (eg, city)
+      localityName_default = TestServerCertificateLocality
+      localityName_max = 64
+
+      organizationName = Organization Name (eg, company)
+      organizationName_default = TestServerCertificateOrg
+      organizationName_max = 64
+
+      organizationalUnitName = Organizational Unit Name (eg, section)
+      organizationalUnitName_default = TestServerCertificateOrgUnit
+      organizationalUnitName_max = 64
+
+      commonName = Common Name (eg, YOUR name)
+      commonName_max = 64
+
+#. In the ``[alt_names]`` section, enter the appropriate
+   DNS names specific for the MongoDB server. You can
+   specify multiple DNS names a MongoDB server.
+
+#. *Optional*. You can update the default Distinguished Name (DN)
+   values. 
+
+.. tip::
+
+   - Specify a non-empty value for at least one of the following
+     attributes: Organization (``O``), the Organizational Unit
+     (``OU``), or the Domain Component (``DC``).
+
+   - When creating test server certificates for internal membership
+     authentication, the following attributes, if specified, must match
+     exactly across the member certificates: Organization (``O``),
+     Organizational Unit (``OU``), the Domain Component (``DC``).
+
+B. Generate the Test PEM File for Server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. important::
+
+   Before proceeding, ensure that you have entered the
+   appropriate DNS names in the ``[alt_names]`` section of the
+   configuration file ``openssl-test-server.cnf``.
+
+#. Create the test key file :file:`mongodb-test-server1.key`.
+
+   .. code-block:: sh
+
+      openssl genrsa -out mongodb-test-server1.key 4096
+
+#. Create the test certificate signing request :file:`mongodb-test-server1.csr`.
+
+   When asked for Distinguished Name values, enter the appropriate
+   values for your test certificate:
+
+   - Specify a non-empty value for at least one of the following
+     attributes: Organization (``O``), the Organizational Unit
+     (``OU``), or the Domain Component (``DC``).
+
+   - When creating test server certificates for internal membership
+     authentication, the following attributes, if specified, must match
+     exactly across the member certificates: Organization (``O``),
+     Organizational Unit (``OU``), the Domain Component (``DC``).
+
+   .. code-block:: sh
+
+      openssl req -new -key mongodb-test-server1.key -out mongodb-test-server1.csr -config openssl-test-server.cnf
+
+#. Create the test server certificate :file:`mongodb-test-server1.crt`.
+
+   .. code-block:: sh
+
+      openssl x509 -sha256 -req -days 365 -in mongodb-test-server1.csr -CA mongodb-test-ia.crt -CAkey mongodb-test-ia.key -CAcreateserial -out mongodb-test-server1.crt -extfile openssl-test-server.cnf -extensions v3_req
+
+#. Create the test PEM file for the server.
+
+   .. code-block:: sh
+
+      cat mongodb-test-server1.crt mongodb-test-server1.key > test-server1.pem
+
+   You can use the test PEM file when configuring a
+   :binary:`~bin.mongod` or a :binary:`~bin.mongos` for TLS/SSL
+   testing; e.g.
+
+   .. code-block:: javascript
+
+      mongod --sslMode requireSSL --sslPEMKeyFile test-server1.pem  --sslCAFile test-ca.pem
+
+
+   On macOS,
+      If you are testing with Keychain Access to manage
+      certificates, create a pkcs-12 file to add to Keychain Access
+      instead of a PEM file:
+
+      .. code-block:: sh
+
+         openssl pkcs12 -export -out test-server1.pfx -inkey mongodb-test-server1.key -in mongodb-test-server1.crt -certfile mongodb-test-ia.crt
+
+      Once added to Keychain Access, instead of specifying the PEM Key
+      file, you can use the :option:`--sslCertificateSelector <mongod
+      --sslCertificateSelector>` to specify the certificate to use. If
+      the CA pem file is also in Keychain Access, you can omit
+      ``--sslCAFile`` as well.
+
+      .. code-block:: javascript
+
+         mongod --sslMode requireSSL --sslCertificateSelector subject="TestServerCertificateCommonName"
+
+      For adding certificates to Keychain Access, refer to your
+      official documentation for Keychain Access.
+
+.. seealso::
+
+   - :ref:`appendix-ca-certificate`
+
+   - :ref:`appendix-client-certificate`
+
+   - :ref:`x509-member-certificate`