Search code examples
mongodbx509pemmongodb-replica-setmongodb-internal-auth

x.509 PEM certificate structure

this may be a really dumb question but I'm struggling to understand how this exactly works.

I'm working with MongoDB. I have 3 files: server.pem, client.pem and ca.pem. I need to use them to internally authenticate the members of a replica set.

All three of them are similar. The first question is: why do I need three of them? What is the purpose of each one?

I also have an assignment in which I have to say if each of these three must contain a certificate and a key in order to work. I don't want a direct answer to this, but I'd like to know if this is something related to the x.509 standard or to MongoDB itself and where to look for an answer.

I've been documenting here and on Google (mostly Wikipedia) but I didn't find this topic addressed anywhere.

Any help is appreciated.

Thank you

Solution

  • The MongoDB tutorial on Using x.509 Certificates for Membership Authentication is an excellent guide to the requirements, but here's a guide which explains in the context of the certificates you've been given.

    The certificates you need are:

    1. The certificate (not including the private key) of your certification authority (CA)
    2. For each node in your replica set, a private key
    3. For each node in your replica set, a certificate which:
      • is based on that private key
      • is issued by that same CA
      • identifies the server by name

    Note that in a normal replica set where the nodes are running on different servers, each node will need its own certificate. In your assignment, you have been issued a single server certificate, to be used by every node; that will only work if every node is running on the same server.

    That specific set of components are required for the following reasons:

    1. The CA's private key should only be known to the CA itself.
    2. When node A establishes communication with node B, it needs to verify node B's identity; it does so by node B showing its certificate (not including the private key) to node A.
    3. Node A uses the CA's certificate to verify node B's certificate (and thus identity)
    4. Similarly, Node B uses the CA's certificate to verify node A's certificate (and thus identity)
    5. For encrypted communication between nodes A and B, node A must encrypt its outgoing messages using its own private key; the most convenient place to keep this is alongside its certificate, in the pem file. This private key is not shared with any other agent.
    6. Similarly, node B's pem file includes node B's private key, for node B's own use only.

    So in summary, each node needs to have:

    1. the CA's certificate
    2. the node's own private key
    3. the node's own certificate

    Those map to the files you've been supplied with as follows:

    • ca.pem has the CA's certificate, and nothing else.
    • server.pem contains both the node's certificate and private key, for convenience.
    • client.pem is not needed at all; presumably that will be used later, when a client wants to connect to the running replica set.