mongodb/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
mongo/x509/main_certs_def.bzl
Sam Frank 5f89b25908 SERVER-125887 Add support for encrypted PEM files for gRPC egress (#53238) 
Co-authored-by: Erwin Pe <erwin.pe@mongodb.com>
GitOrigin-RevId: 071e3964bf43e7fa728a5df6390e0b960e335bdf
2026-05-07 20:21:29 +00:00

1976 lines
63 KiB
Python
Raw Permalink Blame History

# Definitions for certificates for main certificate generation (the generate_main_certificates
# target).
certs_def = json.encode({
"global": {
"Subject": {
"C": "US",
"ST": "New York",
"L": "New York City",
"O": "MongoDB",
"OU": "Kernel",
},
},
"certs": [
{
"name": "ca.pem",
"description": "Primary Root Certificate Authority Most Certificates are issued by this CA.",
"Subject": {
"CN": "Kernel Test CA",
},
"Issuer": "self",
"keyfile": "ca_key.pem",
"extensions": {
"basicConstraints": {
"critical": True,
"CA": True,
},
},
},
{
"name": "badSAN.pem",
"description": "Certificate with an otherwise permissible CommonName, but with an unmatchable SubjectAlternateName.",
"Subject": {
"CN": "127.0.0.1",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "badSAN",
},
"subjectKeyIdentifier": "hash",
},
},
{
"name": "client-all-the-oids.pem",
"description": "Client certificate with a long list of OIDs. Ensures the server functions well in unexpected circumstances.",
"explicit_subject": True,
"Subject": {
"CN": "Datum-3",
"SN": "Datum-4",
"serialNumber": "Datum-5",
"C": "US",
"L": "Datum-7",
"ST": "NY",
"streetAddress": "Datum-9",
"O": "Datum-10",
"OU": "Datum-11",
"title": "Datum-12",
"2.5.4.13": "Datum-13",
"2.5.4.14": "Datum-14",
"2.5.4.15": "Datum-15",
"2.5.4.16": "Datum-16",
"2.5.4.17": "Datum-17",
"2.5.4.18": "Datum-18",
"2.5.4.19": "Datum-19",
"2.5.4.20": "Datum-20",
"2.5.4.21": "Datum-21",
"2.5.4.22": "Datum-22",
"2.5.4.23": "Datum-23",
"2.5.4.24": "Datum-24",
"2.5.4.25": "Datum-25",
"2.5.4.26": "Datum-26",
"2.5.4.27": "Datum-27",
"2.5.4.28": "Datum-28",
"2.5.4.29": "Datum-29",
"2.5.4.30": "Datum-30",
"2.5.4.31": "Datum-31",
"2.5.4.32": "Datum-32",
"2.5.4.33": "Datum-33",
"2.5.4.34": "Datum-34",
"2.5.4.35": "Datum-35",
"2.5.4.36": "Datum-36",
"2.5.4.37": "Datum-37",
"2.5.4.38": "Datum-38",
"2.5.4.39": "Datum-39",
"2.5.4.40": "Datum-40",
"2.5.4.41": "Datum-41",
"2.5.4.42": "Datum-42",
"2.5.4.43": "Datum-43",
"2.5.4.44": "Datum-44",
"2.5.4.45": "Datum-45",
"2.5.4.46": "Datum-46",
"2.5.4.47": "Datum-47",
"2.5.4.48": "Datum-48",
"2.5.4.49": "Datum-49",
"2.5.4.50": "Datum-50",
"2.5.4.51": "Datum-51",
"2.5.4.52": "Datum-52",
"2.5.4.53": "Datum-53",
"2.5.4.54": "Datum-54",
"2.5.4.65": "Datum-65",
"2.5.4.72": "Datum-72",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
},
{
"name": "client-custom-oids.pem",
"description": "Client certificate using non-standard OIDs.",
"Issuer": "ca.pem",
"keyfile": "key.pem",
"Subject": {
"OU": "KernelUser",
"CN": "client",
"1.2.3.56": "RandoValue",
"1.2.3.45": "Value,Rando",
},
},
{
"name": "client_email.pem",
"description": "Client certificate containing an email address. Includes authorizations for queryable backup.",
"Subject": {
"OU": "KernelUser",
"CN": "client",
"emailAddress": "example@mongodb.com",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"mongoRoles": [
{
"role": "backup",
"db": "admin",
},
{
"role": "readAnyDatabase",
"db": "admin",
},
],
},
},
{
"name": "client_escape.pem",
"description": "Client certificate with reserved characters in subject name. Includes authorizations for queryable backup.",
"explicit_subject": True,
"Subject": {
"C": ",+",
"ST": "\"\\<",
"L": " >",
"O": "; ",
"OU": "Escape",
"CN": "Test",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"mongoRoles": [
{
"role": "backup",
"db": "admin",
},
{
"role": "readAnyDatabase",
"db": "admin",
},
],
},
},
{
"name": "client.pem",
"description": "General purpose client certificate.",
"Subject": {
"OU": "KernelUser",
"CN": "client",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"clientAuth",
],
},
},
{
"name": "client_with_serverAuth_eku.pem",
"description": "Client certificate configured with serverAuth EKU (should be disallowed when received on ingress connections)",
"Subject": {
"OU": "KernelUser",
"CN": "client",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
],
},
},
{
"name": "client_without_eku.pem",
"description": "Client certificate configured with no EKUs",
"Subject": {
"OU": "KernelUser",
"CN": "client",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
},
},
{
"name": "client_with_serverAuth_and_clientAuth_eku.pem",
"description": "Client certificate configured with both serverAuth and clientAuth EKUs",
"Subject": {
"OU": "KernelUser",
"CN": "client",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"clientAuth",
"serverAuth",
],
},
},
{
"name": "client-multivalue-rdn.pem",
"description": "Client certificate containing multivalue RDNs",
"explicit_subject": True,
"Subject": [
{
"O": "MongoDB",
"OU": "KernelUser",
"CN": "client",
},
{
"C": "US",
"ST": "New York",
"L": "New York City",
},
],
"Issuer": "ca.pem",
"keyfile": "key.pem",
},
{
"name": "client_privatekey.pem",
"description": "General purpose client certificate with roles.",
"Subject": {
"CN": "client",
"emailAddress": "example@mongodb.com",
"title": "A Test Certificate",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"mongoRoles": [
{
"role": "backup",
"db": "admin",
},
{
"role": "readAnyDatabase",
"db": "admin",
},
],
},
},
{
"name": "client_revoked.pem",
"description": "Client certificate which has been explicitly revoked.",
"Subject": {
"CN": "client_revoked",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"serial": 4,
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"clientAuth",
],
},
},
{
"name": "client_roles.pem",
"description": "General purpose client certificate with roles.",
"Subject": {
"OU": "Kernel Users",
"CN": "Kernel Client Peer Role",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"mongoRoles": [
{
"role": "backup",
"db": "admin",
},
{
"role": "readAnyDatabase",
"db": "admin",
},
],
},
},
{
"name": "client_title.pem",
"description": "General purpose client certificate with roles.",
"Subject": {
"OU": "KernelUser",
"CN": "client",
"emailAddress": "example@mongodb.com",
"title": "A Test Certificate",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"mongoRoles": [
{
"role": "backup",
"db": "admin",
},
{
"role": "readAnyDatabase",
"db": "admin",
},
],
},
},
{
"name": "client_utf8.pem",
"description": "Client certificate with non latin-1 unicode characters.",
"Subject": {
"OU": "Kernel Users",
"CN": "Калоян",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"mongoRoles": [
{
"role": "backup",
"db": "admin",
},
{
"role": "readAnyDatabase",
"db": "admin",
},
],
},
},
{
"name": "cluster_cert.pem",
"description": "Alternate cert for use in intra-cluster communication.",
"Subject": {
"CN": "clustertest",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
},
{
"name": "expired.pem",
"description": "A certificate which has passed its expiration date.",
"Subject": {
"CN": "expired",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"not_before": -10000000,
"not_after": -1000000,
"extensions": {
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "localhostnameCN.pem",
"description": "Server certificate with IP localhost in CN, includes a SAN.",
"Subject": {
"CN": "127.0.0.1",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "localhost-cn-with-san.pem",
"description": "Localhost based certificate using non-matching subject alternate name.",
"Subject": {
"CN": "localhost",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "example.com",
},
},
},
{
"name": "localhostnameSAN.pem",
"description": "Server certificate with a selection of SANs",
"Subject": {
"CN": "santesthostname.com",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": [
"*.example.com",
"localhost",
"morefun!",
],
"IP": "127.0.0.1",
},
},
},
{
"name": "not_yet_valid.pem",
"description": "A certificate which has yet to reach its validity date.",
"Subject": {
"CN": "not_yet_valid",
},
"not_before": 630720000,
"not_after": 701913600,
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"extendedKeyUsage": [
"serverAuth",
],
"mongoRoles": [
{
"role": "backup",
"db": "admin",
},
{
"role": "readAnyDatabase",
"db": "admin",
},
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "client_password_protected.pem",
"description": "Server cerificate using an encrypted private key.",
"Subject": {
"OU": "KernelUser",
"CN": "client",
},
"keyfile": "pkcs1_encrypted_key.pem",
"passphrase": "qwerty",
"Issuer": "ca.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"clientAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "password_protected.pem",
"description": "Server cerificate using an encrypted private key.",
"Subject": {
"CN": "server",
},
"keyfile": "pkcs1_encrypted_key.pem",
"passphrase": "qwerty",
"Issuer": "ca.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
],
"authorityKeyIdentifier": "issuer",
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "server.pem",
"description": "General purpose server certificate file.",
"Subject": {
"CN": "server",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"authorityKeyIdentifier": "issuer",
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "server_with_clientAuth_eku.pem",
"description": "General purpose server certificate file with clientAuth EKU (should be disallowed when received on egress connections)",
"Subject": {
"CN": "server",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"clientAuth",
],
"authorityKeyIdentifier": "issuer",
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "server_with_serverAuth_eku.pem",
"description": "General purpose server certificate file with serverAuth EKU only",
"Subject": {
"CN": "server",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
],
"authorityKeyIdentifier": "issuer",
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "server_without_eku.pem",
"description": "General purpose server certificate file without any EKUs",
"Subject": {
"CN": "server",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"authorityKeyIdentifier": "issuer",
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "server_no_subject.pem",
"description": "Server certificate with empty Subject, but critical SAN.",
"explicit_subject": True,
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"authorityKeyIdentifier": "issuer",
"subjectAltName": {
"critical": True,
"DNS": "localhost",
"IP": [
"127.0.0.1",
"::1",
],
},
},
},
{
"name": "server_no_subject_no_SAN.pem",
"description": "Server certificate with empty Subject, and no SANs.",
"explicit_subject": True,
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"authorityKeyIdentifier": "issuer",
},
},
{
"name": "server_SAN.pem",
"description": "General purpose server certificate with good SANs.",
"Subject": {
"CN": "Kernel Client Peer Role",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": [
"127.0.0.1",
"::1",
],
},
},
},
{
"name": "server_SAN2.pem",
"description": "General purpose server certificate with bad SANs.",
"Subject": {
"CN": "Kernel Client Peer Role",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": [
"127.0.0.1",
"::1",
],
},
},
},
{
"name": "server_no_SAN.pem",
"description": "General purpose server certificate with missing SAN.",
"Subject": {
"CN": "localhost",
"title": "Server no SAN attribute",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"extendedKeyUsage": [
"serverAuth",
],
},
},
{
"name": "cluster-member-foo.pem",
"description": "A server certificate with the mongoClusterMembership extension with a value of foo",
"Subject": {
"CN": "server",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"authorityKeyIdentifier": "issuer",
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"mongoClusterMembership": "foo",
},
},
{
"name": "cluster-member-bar.pem",
"description": "A server certificate with the mongoClusterMembership extension with a value of bar",
"Subject": {
"CN": "server",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"authorityKeyIdentifier": "issuer",
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"mongoClusterMembership": "bar",
},
},
{
"name": "cluster-member-foo-alt-rdn.pem",
"description": "A server certificate with the mongoClusterMembership extension with a value of foo, but an unrelated RDN",
"Subject": {
"C": "ZZ",
"ST": "Example",
"L": "Fakesville",
"O": "Company",
"OU": "Business",
"CN": "Doer",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"authorityKeyIdentifier": "issuer",
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"mongoClusterMembership": "foo",
},
},
{
"name": "server_title_foo.pem",
"description": "Server certificate including the title attribute set to foo.",
"Subject": {
"CN": "server",
"title": "foo",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "server_title_bar.pem",
"description": "Server certificate including the title attribute set to bar.",
"Subject": {
"CN": "server",
"title": "bar",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "cluster_title_foo.pem",
"description": "Alternate certificate for intracluster auth including the title attribute set to foo.",
"Subject": {
"CN": "clustertest",
"title": "foo",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "server_title_foo_no_o_ou_dc.pem",
"description": "Server certificate including the title attribute set to foo without O, OU, or DC.",
"explicit_subject": True,
"Subject": {
"CN": "server",
"title": "foo",
"C": "US",
"ST": "New York",
"L": "New York City",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "server_title_bar_no_o_ou_dc.pem",
"description": "Server certificate including the title attribute set to bar without O, OU, or DC.",
"explicit_subject": True,
"Subject": {
"CN": "server",
"title": "bar",
"C": "US",
"ST": "New York",
"L": "New York City",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "cluster_title_foo_no_o_ou_dc.pem",
"description": "Alternate certificate for intracluster auth including the title attribute set to foo without O, OU, or DC.",
"explicit_subject": True,
"Subject": {
"CN": "clustertest",
"title": "foo",
"C": "US",
"ST": "New York",
"L": "New York City",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "rs0.pem",
"description": "General purpose server certificate file.",
"Subject": {
"OU": "rs0",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"authorityKeyIdentifier": "issuer",
},
},
{
"name": "rs1.pem",
"description": "General purpose server certificate file.",
"Subject": {
"OU": "rs1",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"authorityKeyIdentifier": "issuer",
},
},
{
"name": "rs2.pem",
"description": "General purpose server certificate file.",
"Subject": {
"OU": "rs2",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"authorityKeyIdentifier": "issuer",
},
},
{
"name": "client-self-signed.pem",
"description": "A basic self-signed certificate.",
"Subject": {
"OU": "KernelUser",
"CN": "client",
},
"Issuer": "self",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"authorityKeyIdentifier": "issuer",
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
"nonRepudiation",
],
"extendedKeyUsage": [
"clientAuth",
],
"nsComment": "OpenSSL Generated Certificate",
},
},
{
"name": "smoke.pem",
"description": "A self-signed certificate used for smoke testing.",
"Subject": {
"CN": "smoke",
},
"Issuer": "self",
"keyfile": "key.pem",
"extensions": {
"basicConstraints": {
"CA": True,
},
},
},
{
"name": "ca_ocsp.pem",
"description": "OCSP Root Certificate Authority",
"Subject": {
"CN": "Kernel Test CA",
},
"Issuer": "self",
"keyfile": "ocsp_ca_key.pem",
"split_cert_and_key": True,
"extensions": {
"basicConstraints": {
"critical": True,
"CA": True,
},
},
},
{
"name": "server_ocsp.pem",
"description": "OCSP certificate for the mongodb server.",
"Subject": {
"CN": "localhost",
"C": "US",
"ST": "NY",
"L": "OCSP-1",
},
"Issuer": "ca_ocsp.pem",
"keyfile": "ocsp_key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"authorityInfoAccess": {
"method": "OCSP",
"location": "http://localhost:8100/status",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
},
},
{
"name": "server_no_ocsp.pem",
"description": "Non-OCSP certificate for the mongodb server using the OCSP CA.",
"Subject": {
"CN": "localhost",
"C": "US",
"ST": "NY",
"L": "OCSP-1",
},
"Issuer": "ca_ocsp.pem",
"keyfile": "ocsp_key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
},
},
{
"name": "server_ocsp_invalid.pem",
"description": "An expired OCSP certificate for the mongodb server.",
"Subject": {
"CN": "badHost",
"C": "US",
"ST": "NY",
"L": "OCSP-1",
},
"Issuer": "ca_ocsp.pem",
"keyfile": "ocsp_key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "badHost",
},
"authorityInfoAccess": {
"method": "OCSP",
"location": "http://localhost:8100/status",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
},
},
{
"name": "server_ocsp_revoked.pem",
"description": "OCSP certificate for the mongodb server.",
"Subject": {
"CN": "localhost",
"C": "US",
"ST": "NY",
"L": "OCSP-1",
},
"Issuer": "ca_ocsp.pem",
"keyfile": "ocsp_key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"authorityInfoAccess": {
"method": "OCSP",
"location": "http://localhost:8100/status",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
},
},
{
"name": "server_ocsp_mustStaple.pem",
"description": "Must Staple OCSP certificate for the mongodb server.",
"Subject": {
"CN": "localhost",
"C": "US",
"ST": "NY",
"L": "OCSP-1",
},
"Issuer": "ca_ocsp.pem",
"keyfile": "ocsp_key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"authorityInfoAccess": {
"method": "OCSP",
"location": "http://localhost:8100/status",
},
"mustStaple": True,
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
},
},
{
"name": "client_ocsp.pem",
"description": "OCSP certificate for the mongodb client.",
"Subject": {
"CN": "localhost",
"C": "US",
"ST": "NY",
"L": "OCSP-2",
},
"Issuer": "ca_ocsp.pem",
"keyfile": "ocsp_key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"authorityInfoAccess": {
"method": "OCSP",
"location": "http://localhost:8100/status",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"clientAuth",
],
},
},
{
"name": "intermediate_ca_only_ocsp.pem",
"description": "CA issued by the primary OCSP CA, which then issues its own server OCSP cert.",
"Subject": {
"CN": "Intermediate CA for OCSP",
},
"Issuer": "ca_ocsp.pem",
"keyfile": "intermediate_ocsp_ca_key.pem",
"split_cert_and_key": True,
"extensions": {
"subjectKeyIdentifier": "hash",
"basicConstraints": {
"critical": True,
"CA": True,
},
},
},
{
"name": "intermediate_ca_with_root_ocsp.pem",
"description": "OCSP CA and OCSP Intermediate appended together",
"append_cert": [
"intermediate_ca_only_ocsp.pem",
"ca_ocsp.pem",
],
},
{
"name": "server_signed_by_intermediate_ca_ocsp.pem",
"description": "Server OCSP certificate signed by intermediate CA.",
"Subject": {
"CN": "Server OCSP Via Intermediate",
},
"Issuer": "intermediate_ca_only_ocsp.pem",
"keyfile": "intermediate_ocsp_key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"authorityInfoAccess": {
"method": "OCSP",
"location": "http://localhost:8100/status",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
},
},
{
"name": "server_and_intermediate_ca_appended_ocsp.pem",
"description": "Server OCSP certificate signed by intermediate CA.",
"Subject": {
"CN": "Server OCSP Via Intermediate",
},
"Issuer": "intermediate_ca_only_ocsp.pem",
"keyfile": "intermediate_ocsp_key.pem",
"append_cert": "intermediate_ca_only_ocsp.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"authorityInfoAccess": {
"method": "OCSP",
"location": "http://localhost:8100/status",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
},
},
{
"name": "ocsp_responder.pem",
"description": "Certificate and key for the OCSP responder",
"Subject": {
"CN": "localhost",
"C": "US",
"ST": "NY",
"L": "OCSP-3",
},
"Issuer": "ca_ocsp.pem",
"keyfile": "ocsp_responder_key.pem",
"split_cert_and_key": True,
"extensions": {
"basicConstraints": {
"CA": False,
},
"keyUsage": [
"nonRepudiation",
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"OCSPSigning",
],
},
},
{
"name": "rollover_ca.pem",
"description": "Separate CA used during rollover tests.",
"explicit_subject": True,
"Subject": {
"C": "US",
"ST": "New York",
"L": "New York",
"O": "MongoDB, Inc.",
"OU": "Kernel",
"CN": "Kernel Rollover Test CA",
},
"Issuer": "self",
"keyfile": "rollover_ca_key.pem",
"extensions": {
"basicConstraints": {
"critical": True,
"CA": True,
},
"subjectKeyIdentifier": "hash",
"authorityKeyIdentifier": "keyid",
"keyUsage": [
"critical",
"digitalSignature",
"keyCertSign",
"cRLSign",
],
},
},
{
"name": "rollover_ca_merged.pem",
"description": "Combination of rollover_ca.pem and ca.pem",
"append_cert": [
"rollover_ca.pem",
"ca.pem",
],
},
{
"name": "rollover_server.pem",
"description": "Server rollover certificate.",
"explicit_subject": True,
"Subject": {
"C": "US",
"ST": "New York",
"L": "New York",
"O": "MongoDB, Inc. (Rollover)",
"OU": "Kernel",
"CN": "server",
},
"Issuer": "rollover_ca.pem",
"keyfile": "rollover_key.pem",
"extensions": {
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "intermediate-ca.pem",
"description": "CA issues by the primary root CA, which then issues its own server cert.",
"Subject": {
"CN": "Intermediate CA",
},
"extensions": {
"basicConstraints": {
"CA": True,
},
},
"Issuer": "ca.pem",
"keyfile": "intermediate_ca_key.pem",
},
{
"name": "server-intermediate-ca.pem",
"description": "Server certificate signed by intermediate CA, including intermediate CA in bundle.",
"Subject": {
"CN": "Server Via Intermediate",
},
"Issuer": "intermediate-ca.pem",
"keyfile": "intermediate_key.pem",
"append_cert": "intermediate-ca.pem",
"extensions": {
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "server-intermediate-leaf.pem",
"description": "Server certificate signed by intermediate CA.",
"Subject": {
"CN": "Server Leaf Via Intermediate",
},
"extensions": {
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
"Issuer": "intermediate-ca.pem",
"keyfile": "intermediate_key.pem",
},
{
"name": "intermediate-ca-chain.pem",
"description": "CA pem including intermediate certs.",
"append_cert": [
"ca.pem",
"intermediate-ca.pem",
],
},
{
"name": "intermediate-ca-B.pem",
"description": "Secondary intermediate CA issued by the primary root CA.",
"Subject": {
"CN": "Intermediate CA B",
},
"extensions": {
"basicConstraints": {
"CA": True,
},
},
"Issuer": "ca.pem",
"keyfile": "intermediate_b_ca_key.pem",
},
{
"name": "intermediate-ca-B-leaf.pem",
"description": "First end-entity certificate signed by intermediate CA B",
"Subject": {
"CN": "End-entity certificate via Intermediate CA B",
},
"Issuer": "intermediate-ca-B.pem",
"keyfile": "intermediate_b_key.pem",
"extensions": {
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "splithorizon-server.pem",
"description": "Server certificate for split horizon testing.",
"Subject": {
"O": "MongoDB, Inc. (Splithorizon)",
"CN": "server",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
"extensions": {
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"subjectAltName": {
"DNS": [
"localhost",
"splithorizon1",
"splithorizon2",
],
"IP": "127.0.0.1",
},
},
},
{
"name": "trusted-ca.pem",
"description": "CA for alternate client/server certificate chain.",
"Subject": {
"CN": "Trusted Kernel Test CA",
},
"Issuer": "self",
"keyfile": "trusted_ca_key.pem",
"extensions": {
"basicConstraints": {
"CA": True,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "trusted-client.pem",
"description": "Client certificate for trusted chain.",
"Subject": {
"CN": "Trusted Kernel Test Client",
},
"Issuer": "trusted-ca.pem",
"keyfile": "trusted_key.pem",
"split_cert_and_key": True,
"extensions": {
"extendedKeyUsage": [
"clientAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "trusted-server.pem",
"description": "Server certificate for trusted chain.",
"Subject": {
"CN": "Trusted Kernel Test Server",
},
"Issuer": "trusted-ca.pem",
"keyfile": "trusted_key.pem",
"split_cert_and_key": True,
"extensions": {
"extendedKeyUsage": [
"serverAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "trusted-cluster-server.pem",
"description": "Server cluster certificate for trusted chain.",
"Subject": {
"CN": "Trusted Kernel Test Cluster Server",
},
"Issuer": "trusted-ca.pem",
"keyfile": "trusted_key.pem",
"split_cert_and_key": True,
"extensions": {
"extendedKeyUsage": [
"clientAuth",
"serverAuth",
],
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "trusted-client-testdb-roles.pem",
"description": "Client certificate with X509 role grants via trusted chain.",
"Subject": {
"OU": "Kernel Users",
"CN": "Trusted Kernel Test Client With Roles",
},
"Issuer": "trusted-ca.pem",
"keyfile": "trusted_key.pem",
"extensions": {
"mongoRoles": [
{
"role": "role1",
"db": "testDB",
},
{
"role": "role2",
"db": "testDB",
},
],
},
},
{
"name": "root-and-trusted-ca.pem",
"description": "Combined ca.pem and trusted-ca.pem",
"append_cert": [
"ca.pem",
"trusted-ca.pem",
],
},
{
"name": "ecdsa-ca.pem",
"description": "Root of ECDSA tree.",
"Subject": {
"CN": "Kernel Test ECDSA CA",
},
"Issuer": "self",
"keyfile": "ec_ca_key.pem",
"extensions": {
"basicConstraints": {
"CA": True,
},
"subjectKeyIdentifier": "hash",
},
},
{
"name": "ecdsa-client.pem",
"description": "Client certificate for ECDSA tree.",
"Subject": {
"OU": "KernelUser",
"CN": "client",
},
"Issuer": "ecdsa-ca.pem",
"keyfile": "ec_key.pem",
},
{
"name": "ecdsa-server.pem",
"description": "Server certificate for ECDSA tree.",
"Subject": {
"CN": "server",
},
"Issuer": "ecdsa-ca.pem",
"keyfile": "ec_key.pem",
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"authorityKeyIdentifier": "issuer",
},
},
{
"name": "ecdsa-ca-ocsp.pem",
"description": "Root of ECDSA tree for OCSP testing",
"Subject": {
"CN": "Kernel Test ECDSA CA",
},
"Issuer": "self",
"keyfile": "pkcs8_encrypted_ec_ocsp_ca_key.pem",
"split_cert_and_key": True,
"extensions": {
"basicConstraints": {
"CA": True,
},
"subjectKeyIdentifier": "hash",
},
},
{
"name": "ecdsa-server-ocsp.pem",
"description": "ECDSA server certificate w/OCSP",
"Issuer": "ecdsa-ca-ocsp.pem",
"keyfile": "pkcs8_encrypted_ec_ocsp_key.pem",
"Subject": {
"CN": "server",
},
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"authorityInfoAccess": [
{
"method": "OCSP",
"location": "http://localhost:9001/power/level",
},
{
"method": "OCSP",
"location": "http://localhost:8100/status",
},
],
"authorityKeyIdentifier": "issuer",
},
},
{
"name": "ecdsa-server-ocsp-mustStaple.pem",
"description": "ECDSA server certificate w/OCSP + must-staple",
"Issuer": "ecdsa-ca-ocsp.pem",
"keyfile": "pkcs8_encrypted_ec_ocsp_key.pem",
"Subject": {
"CN": "server",
},
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
],
"authorityInfoAccess": [
{
"method": "OCSP",
"location": "http://localhost:9001/power/level",
},
{
"method": "OCSP",
"location": "http://localhost:8100/status",
},
],
"mustStaple": True,
"authorityKeyIdentifier": "issuer",
},
},
{
"name": "ecdsa-ocsp-responder.pem",
"description": "ECDSA certificate and key for OCSP responder",
"Issuer": "ecdsa-ca-ocsp.pem",
"keyfile": "pkcs8_encrypted_ec_ocsp_responder_key.pem",
"Subject": {
"CN": "server",
},
"split_cert_and_key": True,
"extensions": {
"basicConstraints": {
"CA": False,
},
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
"subjectKeyIdentifier": "hash",
"keyUsage": [
"nonRepudiation",
"digitalSignature",
"keyEncipherment",
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth",
"OCSPSigning",
],
"authorityKeyIdentifier": "issuer",
},
},
{
"name": "trusted_client_password_protected.pem",
"description": "Encrypted storage engine KMIP client certificate.",
"keyfile": "pkcs1_encrypted_trusted_key.pem",
"passphrase": "qwerty",
"Subject": {
"C": "US",
"ST": "New York",
"L": "New York City",
"O": "MongoDB",
"OU": "KernelUser",
"CN": "trusted_client_password_protected",
},
"Issuer": "trusted-ca.pem",
"extensions": {
"subjectAltName": {
"DNS": "localhost",
"IP": "127.0.0.1",
},
},
},
{
"name": "ldapz_x509_1.pem",
"description": "X.509 LDAP Auth Test Cert.",
"Subject": {
"C": "US",
"ST": "New York",
"L": "New York City",
"O": "MongoDB",
"OU": "KernelUser",
"CN": "ldapz_x509_1",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
},
{
"name": "ldapz_x509_2.pem",
"description": "X.509 LDAP Auth Test Cert.",
"Subject": {
"C": "US",
"ST": "New York",
"L": "New York City",
"O": "MongoDB",
"OU": "KernelUser",
"CN": "ldapz_x509_2",
},
"Issuer": "ca.pem",
"keyfile": "key.pem",
},
],
"crls": [
"crl.pem",
"crl_client_revoked.pem",
"crl_intermediate_ca_B_revoked.pem",
"crl_from_trusted_ca.pem",
"crl_from_intermediate_ca_B.pem",
],
})
Reference in New Issue View Git Blame Copy Permalink