mongodb/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5f89b25908
mongo/jstests/ssl/x509/certs.yml
Sam Frank 5f89b25908 SERVER-125887 Add support for encrypted PEM files for gRPC egress (#53238) 
Co-authored-by: Erwin Pe <erwin.pe@mongodb.com>
GitOrigin-RevId: 071e3964bf43e7fa728a5df6390e0b960e335bdf
2026-05-07 20:21:29 +00:00

1069 lines
31 KiB
YAML
Raw Blame History

# Definition for testing certificates used by MongoDB unit tests.
# Note: CRLs are constructed in mkcrl.sh
global:
# All subject names will have these elements automatically,
# unless `explicit_subject: true` is specified.
output_path: "jstests/libs/"
Subject:
C: "US"
ST: "New York"
L: "New York City"
O: "MongoDB"
OU: "Kernel"
###
# Root ca.pem based tree.
###
certs:
- name: "ca.pem"
description: >-
Primary Root Certificate Authority
Most Certificates are issued by this CA.
Subject: {CN: "Kernel Test CA"}
Issuer: self
extensions:
basicConstraints:
critical: true
CA: true
- name: "badSAN.pem"
description: >-
Certificate with an otherwise permissible CommonName,
but with an unmatchable SubjectAlternateName.
Subject: {CN: "127.0.0.1"}
extensions:
basicConstraints: {CA: false}
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth]
subjectAltName: {DNS: badSAN}
subjectKeyIdentifier: hash
- name: "client-all-the-oids.pem"
description: >-
Client certificate with a long list of OIDs.
Ensures the server functions well in unexpected circumstances.
explicit_subject: true
Subject:
CN: Datum-3
SN: Datum-4
serialNumber: Datum-5
C: US
L: Datum-7
ST: NY
street: Datum-9
O: Datum-10
OU: Datum-11
title: Datum-12
description: Datum-13
searchGuide: Datum-14
businessCategory: Datum-15
postalAddress: Datum-16
postalCode: Datum-17
postOfficeBox: Datum-18
physicalDeliveryOfficeName: Datum-19
telephoneNumber: Datum-20
telexNumber: Datum-21
teletexTerminalIdentifier: Datum-22
facsimileTelephoneNumber: Datum-23
x121Address: Datum-24
internationaliSDNNumber: Datum-25
registeredAddress: Datum-26
destinationIndicator: Datum-27
preferredDeliveryMethod: Datum-28
presentationAddress: Datum-29
supportedApplicationContext: Datum-30
member: Datum-31
owner: Datum-32
roleOccupant: Datum-33
seeAlso: Datum-34
userPassword: Datum-35
userCertificate: Datum-36
cACertificate: Datum-37
authorityRevocationList: Datum-38
certificateRevocationList: Datum-39
crossCertificatePair: Datum-40
name: Datum-41
GN: Datum-42
initials: Datum-43
generationQualifier: Datum-44
x500UniqueIdentifier: Datum-45
dnQualifier: Datum-46
enhancedSearchGuide: Datum-47
protocolInformation: Datum-48
distinguishedName: Datum-49
uniqueMember: Datum-50
houseIdentifier: Datum-51
supportedAlgorithms: Datum-52
deltaRevocationList: Datum-53
dmdName: Datum-54
pseudonym: Datum-65
role: Datum-72
- name: "client_email.pem"
description: >-
Client certificate containing an email address.
Includes authorizations for queryable backup.
Subject:
OU: "KernelUser"
CN: "client"
emailAddress: "example@mongodb.com"
extensions:
mongoRoles:
- {role: backup, db: admin}
- {role: readAnyDatabase, db: admin}
- name: "client_escape.pem"
description: >-
Client certificate with reserved characters in subject name.
Includes authorizations for queryable backup.
explicit_subject: true
Subject:
C: ",+"
ST: '"\<'
L: " >"
O: "; "
OU: "Escape"
CN: "Test"
Issuer: "ca.pem"
extensions:
mongoRoles:
- {role: backup, db: admin}
- {role: readAnyDatabase, db: admin}
- name: "client.pem"
description: General purpose client certificate.
Subject: {OU: "KernelUser", CN: "client"}
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [clientAuth]
- name: "client_with_serverAuth_eku.pem"
description: Client certificate configured with serverAuth EKU (should be disallowed when received on ingress connections)
Subject: {OU: "KernelUser", CN: "client"}
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth]
- name: "client_without_eku.pem"
description: Client certificate configured with no EKUs
Subject: {OU: "KernelUser", CN: "client"}
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
- name: "client_with_serverAuth_and_clientAuth_eku.pem"
description: Client certificate configured with both serverAuth and clientAuth EKUs
Subject: {OU: "KernelUser", CN: "client"}
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [clientAuth, serverAuth]
# Special case certificate, see mkcert.py
- name: "client-multivalue-rdn.pem"
description: Client certificate containing multivalue RDNs
Issuer: "ca.pem"
- name: "client_privatekey.pem"
description: General purpose client certificate with roles.
Subject:
{
CN: "client",
emailAddress: "example@mongodb.com",
title: "A Test Certificate",
}
extensions:
mongoRoles:
- {role: backup, db: admin}
- {role: readAnyDatabase, db: admin}
- name: "client_revoked.pem"
description: Client certificate which has been explicitly revoked.
Subject: {CN: "client_revoked"}
serial: 4 # See crl_client_revoked.pem revocation list
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [clientAuth]
- name: "client_roles.pem"
description: General purpose client certificate with roles.
Subject: {OU: "Kernel Users", CN: "Kernel Client Peer Role"}
extensions:
mongoRoles:
- {role: backup, db: admin}
- {role: readAnyDatabase, db: admin}
- name: "client_title.pem"
description: General purpose client certificate with roles.
Subject:
OU: "KernelUser"
CN: "client"
emailAddress: "example@mongodb.com"
title: "A Test Certificate"
extensions:
mongoRoles:
- {role: backup, db: admin}
- {role: readAnyDatabase, db: admin}
- name: "client_utf8.pem"
description: Client certificate with non latin-1 unicode characters.
Subject: {OU: "Kernel Users", CN: "\u041A\u0430\u043B\u043E\u044F\u043D"}
extensions:
mongoRoles:
- {role: backup, db: admin}
- {role: readAnyDatabase, db: admin}
- name: "client_password_protected.pem"
description: Client certificate using an encrypted private key.
Subject: {OU: "KernelUser", CN: "client"}
Issuer: "ca.pem"
passphrase: "qwerty"
pkcs1: true
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [clientAuth]
- name: "cluster_cert.pem"
description: Alternate cert for use in intra-cluster communication.
Subject: {CN: "clustertest"}
- name: "expired.pem"
description: A certificate which has passed its expiration date.
Subject: {CN: "expired"}
not_before: -10000000
not_after: -1000000
extensions:
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "localhostnameCN.pem"
description: Server certificate with IP localhost in CN, includes a SAN.
Subject: {CN: "127.0.0.1"}
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "localhost-cn-with-san.pem"
description: Localhost based certificate using non-matching subject alternate name.
output_path: "jstests/ssl/libs/"
Subject: {CN: "localhost"}
Issuer: "ca.pem"
extensions:
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: "example.com"
- name: "localhostnameSAN.pem"
description: Server certificate with a selection of SANs
Subject: {CN: "santesthostname.com"}
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: ["*.example.com", "localhost", "morefun!"]
IP: 127.0.0.1
- name: "not_yet_valid.pem"
description: A certificate which has yet to reach its validity date.
Subject: {CN: "not_yet_valid"}
not_before: 630720000 # 20 years hence
not_after: 701913600 # a further 824 days after
extensions:
extendedKeyUsage: [serverAuth]
mongoRoles:
- {role: backup, db: admin}
- {role: readAnyDatabase, db: admin}
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "password_protected.pem"
description: Server cerificate using an encrypted private key.
Subject: {CN: server}
passphrase: "qwerty"
pkcs1: true
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth]
authorityKeyIdentifier: issuer
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "server.pem"
description: General purpose server certificate file.
Subject: {CN: "server"}
extensions: &server_pem_extensions
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
authorityKeyIdentifier: issuer
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "server_with_clientAuth_eku.pem"
description: General purpose server certificate file with clientAuth EKU (should be disallowed when received on egress connections)
Subject: {CN: "server"}
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [clientAuth]
authorityKeyIdentifier: issuer
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "server_with_serverAuth_eku.pem"
description: General purpose server certificate file with serverAuth EKU only
Subject: {CN: "server"}
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth]
authorityKeyIdentifier: issuer
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "server_without_eku.pem"
description: General purpose server certificate file without any EKUs
Subject: {CN: "server"}
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
authorityKeyIdentifier: issuer
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "server_no_subject.pem"
description: Server certificate with empty Subject, but critical SAN.
explicit_subject: true
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
authorityKeyIdentifier: issuer
subjectAltName:
critical: true
DNS: localhost
IP: ["127.0.0.1", "::1"]
- name: "server_no_subject_no_SAN.pem"
description: Server certificate with empty Subject, and no SANs.
explicit_subject: true
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
authorityKeyIdentifier: issuer
- name: "server_SAN.pem"
description: General purpose server certificate with good SANs.
Subject: {CN: "Kernel Client Peer Role"}
extensions:
extendedKeyUsage: [serverAuth, clientAuth]
subjectAltName:
DNS: localhost
IP: ["127.0.0.1", "::1"]
- name: "server_SAN2.pem"
description: General purpose server certificate with bad SANs.
Subject: {CN: "Kernel Client Peer Role"}
extensions:
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: localhost
IP: ["127.0.0.1", "::1"]
- name: "server_no_SAN.pem"
description: General purpose server certificate with missing SAN.
Subject: {CN: localhost, title: "Server no SAN attribute"}
extensions:
extendedKeyUsage: [serverAuth]
- name: "cluster-member-foo.pem"
output_path: "jstests/ssl/libs/"
description: A server certificate with the mongoClusterMembership extension with a value of foo
Subject: {CN: "server"}
extensions:
<<: *server_pem_extensions
mongoClusterMembership: foo
- name: "cluster-member-bar.pem"
output_path: "jstests/ssl/libs/"
description: A server certificate with the mongoClusterMembership extension with a value of bar
Subject: {CN: "server"}
extensions:
<<: *server_pem_extensions
mongoClusterMembership: bar
- name: "cluster-member-foo-alt-rdn.pem"
output_path: "jstests/ssl/libs/"
description: A server certificate with the mongoClusterMembership extension with a value of foo, but an unrelated RDN
Subject:
C: "ZZ"
ST: "Example"
L: "Fakesville"
O: "Company"
OU: "Business"
CN: "Doer"
extensions:
<<: *server_pem_extensions
mongoClusterMembership: foo
- name: "server_title_foo.pem"
description: Server certificate including the title attribute set to foo.
Subject:
CN: "server"
title: "foo"
extensions:
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "server_title_bar.pem"
description: Server certificate including the title attribute set to bar.
Subject:
CN: "server"
title: "bar"
extensions:
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "cluster_title_foo.pem"
description: >-
Alternate certificate for intracluster auth including the title attribute set to foo.
Subject:
CN: "clustertest"
title: "foo"
extensions:
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "server_title_foo_no_o_ou_dc.pem"
description: Server certificate including the title attribute set to foo without O, OU, or DC.
explicit_subject: true
Subject:
CN: "server"
title: "foo"
C: "US"
ST: "New York"
L: "New York City"
extensions:
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "server_title_bar_no_o_ou_dc.pem"
description: Server certificate including the title attribute set to bar without O, OU, or DC.
explicit_subject: true
Subject:
CN: "server"
title: "bar"
C: "US"
ST: "New York"
L: "New York City"
extensions:
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "cluster_title_foo_no_o_ou_dc.pem"
description: >-
Alternate certificate for intracluster auth including the title attribute set to foo
without O, OU, or DC.
explicit_subject: true
Subject:
CN: "clustertest"
title: "foo"
C: "US"
ST: "New York"
L: "New York City"
extensions:
subjectAltName:
DNS: localhost
IP: 127.0.0.1
# TODO SERVER-97176 do we need this cert after removal of tenant migration code?
- name: "rs0.pem"
description: General purpose server certificate file.
Subject:
OU: "rs0"
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
authorityKeyIdentifier: issuer
- name: "rs1.pem"
description: General purpose server certificate file.
Subject:
OU: "rs1"
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
authorityKeyIdentifier: issuer
- name: "rs2.pem"
description: General purpose server certificate file.
Subject:
OU: "rs2"
extensions:
basicConstraints: {CA: false}
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
authorityKeyIdentifier: issuer
###
# Certificates not based on the primary root ca.pem
###
# Standalone self-signed cert.
- name: "client-self-signed.pem"
description: A basic self-signed certificate.
Subject: {OU: "KernelUser", CN: "client"}
Issuer: self
extensions:
basicConstraints: {CA: false}
authorityKeyIdentifier: issuer
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment, nonRepudiation]
extendedKeyUsage: [clientAuth]
nsComment: "OpenSSL Generated Certificate"
# Standalone smoke test cert.
- name: "smoke.pem"
description: A self-signed certificate used for smoke testing.
Subject: {CN: smoke}
Issuer: self
extensions: {basicConstraints: {CA: true}}
###
# OCSP Tree
###
- name: "ca_ocsp.pem"
description: >-
Primary Root Certificate Authority
Most Certificates are issued by this CA.
Subject: {CN: "Kernel Test CA"}
Issuer: self
include_header: false
output_path: "jstests/libs/ocsp/"
keyfile: "ca_ocsp.key"
crtfile: "ca_ocsp.crt"
extensions:
basicConstraints:
critical: true
CA: true
- name: "server_ocsp.pem"
description: >-
OCSP certificate for the mongodb server.
Subject:
CN: "localhost"
C: US
ST: NY
L: OCSP-1
Issuer: "ca_ocsp.pem"
include_header: false
output_path: "jstests/libs/ocsp/"
extensions:
basicConstraints: {CA: false}
subjectAltName:
DNS: localhost
IP: 127.0.0.1
authorityInfoAccess: "OCSP;URI:http://localhost:8100/status"
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
- name: "server_no_ocsp.pem"
description: >-
Non-OCSP certificate for the mongodb server using the OCSP CA.
Subject:
CN: "localhost"
C: US
ST: NY
L: OCSP-1
Issuer: "ca_ocsp.pem"
include_header: false
output_path: "jstests/libs/ocsp/"
extensions:
basicConstraints: {CA: false}
subjectAltName:
DNS: localhost
IP: 127.0.0.1
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
- name: "server_ocsp_invalid.pem"
description: >-
An expired OCSP certificate for the mongodb server.
Subject:
CN: "badHost"
C: US
ST: NY
L: OCSP-1
Issuer: "ca_ocsp.pem"
include_header: false
output_path: "jstests/libs/ocsp/"
extensions:
basicConstraints: {CA: false}
subjectAltName:
DNS: badHost
authorityInfoAccess: "OCSP;URI:http://localhost:8100/status"
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
- name: "server_ocsp_revoked.pem"
description: >-
OCSP certificate for the mongodb server.
Subject:
CN: "localhost"
C: US
ST: NY
L: OCSP-1
Issuer: "ca_ocsp.pem"
include_header: false
output_path: "jstests/libs/ocsp/"
extensions:
basicConstraints: {CA: false}
subjectAltName:
DNS: localhost
IP: 127.0.0.1
authorityInfoAccess: "OCSP;URI:http://localhost:8100/status"
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
- name: "server_ocsp_mustStaple.pem"
description: >-
Must Staple OCSP certificate for the mongodb server.
Subject:
CN: "localhost"
C: US
ST: NY
L: OCSP-1
Issuer: "ca_ocsp.pem"
include_header: false
output_path: "jstests/libs/ocsp/"
extensions:
basicConstraints: {CA: false}
subjectAltName:
DNS: localhost
IP: 127.0.0.1
authorityInfoAccess: "OCSP;URI:http://localhost:8100/status"
mustStaple: true
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
- name: "client_ocsp.pem"
description: >-
OCSP certificate for the mongodb client.
Subject:
CN: "localhost"
C: US
ST: NY
L: OCSP-2
Issuer: "ca_ocsp.pem"
include_header: false
output_path: "jstests/libs/ocsp/"
extensions:
basicConstraints: {CA: false}
subjectAltName:
DNS: localhost
IP: 127.0.0.1
authorityInfoAccess: "OCSP;URI:http://localhost:8100/status"
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [clientAuth]
# Intermediate OCSP tree
- name: "intermediate_ca_only_ocsp.pem"
description: CA issued by the primary OCSP CA, which then issues its own server OCSP cert.
Subject: {CN: "Intermediate CA for OCSP"}
Issuer: "ca_ocsp.pem"
include_header: false
output_path: "jstests/libs/ocsp/"
keyfile: "intermediate_ca_only_ocsp.key"
crtfile: "intermediate_ca_only_ocsp.crt"
extensions:
subjectKeyIdentifier: hash
basicConstraints:
critical: true
CA: true
- name: "intermediate_ca_with_root_ocsp.pem"
description: OCSP CA and OCSP Intermediate appended together
output_path: "jstests/libs/ocsp/"
include_header: false
append_cert: ["intermediate_ca_only_ocsp.pem", "ca_ocsp.pem"]
- name: "server_signed_by_intermediate_ca_ocsp.pem"
description: Server OCSP certificate signed by intermediate CA.
Subject: {CN: "Server OCSP Via Intermediate"}
Issuer: "intermediate_ca_only_ocsp.pem"
include_header: false
output_path: "jstests/libs/ocsp/"
extensions:
basicConstraints: {CA: false}
subjectAltName:
DNS: localhost
IP: 127.0.0.1
authorityInfoAccess: "OCSP;URI:http://localhost:8100/status"
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
- name: "server_and_intermediate_ca_appended_ocsp.pem"
description: Server OCSP certificate signed by intermediate CA.
Subject: {CN: "Server OCSP Via Intermediate"}
Issuer: "intermediate_ca_only_ocsp.pem"
include_header: false
output_path: "jstests/libs/ocsp/"
append_cert: "intermediate_ca_only_ocsp.pem"
extensions:
basicConstraints: {CA: false}
subjectAltName:
DNS: localhost
IP: 127.0.0.1
authorityInfoAccess: "OCSP;URI:http://localhost:8100/status"
subjectKeyIdentifier: hash
keyUsage: [digitalSignature, keyEncipherment]
extendedKeyUsage: [serverAuth, clientAuth]
# OCSP Responder Certificate
- name: "ocsp_responder.pem"
description: Certificate and key for the OCSP responder
Subject:
CN: "localhost"
C: US
ST: NY
L: OCSP-3
Issuer: "ca_ocsp.pem"
include_header: false
keyfile: "ocsp_responder.key"
crtfile: "ocsp_responder.crt"
output_path: "jstests/libs/ocsp/"
extensions:
basicConstraints: {CA: false}
keyUsage: [nonRepudiation, digitalSignature, keyEncipherment]
extendedKeyUsage: [OCSPSigning]
###
# Rollover tree
###
- name: "rollover_ca.pem"
description: Separate CA used during rollover tests.
explicit_subject: true
Subject:
C: "US"
ST: "New York"
L: "New York"
O: "MongoDB, Inc."
OU: "Kernel"
CN: "Kernel Rollover Test CA"
Issuer: self
extensions:
basicConstraints: {critical: true, CA: true}
subjectKeyIdentifier: hash
authorityKeyIdentifier: keyid
keyUsage: [critical, digitalSignature, keyCertSign, cRLSign]
- name: "rollover_ca_merged.pem"
description: Combination of rollover_ca.pem and ca.pem
append_cert: ["rollover_ca.pem", "ca.pem"]
- name: "rollover_server.pem"
description: Server rollover certificate.
explicit_subject: true
Subject:
C: "US"
ST: "New York"
L: "New York"
O: "MongoDB, Inc. (Rollover)"
OU: "Kernel"
CN: "server"
Issuer: "rollover_ca.pem"
extensions:
extendedKeyUsage: [serverAuth, clientAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
###
# Intermediate
###
- name: "intermediate-ca.pem"
description: CA issues by the primary root CA, which then issues its own server cert.
Subject: {CN: "Intermediate CA"}
extensions:
basicConstraints: {CA: true}
Issuer: "ca.pem"
- name: "server-intermediate-ca.pem"
description: Server certificate signed by intermediate CA, including intermediate CA in bundle.
Subject: {CN: "Server Via Intermediate"}
Issuer: "intermediate-ca.pem"
append_cert: "intermediate-ca.pem"
extensions:
extendedKeyUsage: [serverAuth, clientAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "server-intermediate-leaf.pem"
description: Server certificate signed by intermediate CA.
Subject: {CN: "Server Leaf Via Intermediate"}
extensions:
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
Issuer: "intermediate-ca.pem"
- name: "intermediate-ca-chain.pem"
description: CA pem including intermediate certs.
append_cert:
- "ca.pem"
- "intermediate-ca.pem"
- name: "intermediate-ca-B.pem"
description: Secondary intermediate CA issued by the primary root CA.
Subject: {CN: "Intermediate CA B"}
extensions:
basicConstraints: {CA: true}
Issuer: "ca.pem"
- name: "intermediate-ca-B-leaf.pem"
description: First end-entity certificate signed by intermediate CA B
Subject: {CN: "End-entity certificate via Intermediate CA B"}
Issuer: "intermediate-ca-B.pem"
extensions:
extendedKeyUsage: [serverAuth, clientAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
###
# Split Horizon
###
- name: "splithorizon-server.pem"
description: Server certificate for split horizon testing.
Subject: {O: "MongoDB, Inc. (Splithorizon)", CN: "server"}
Issuer: "ca.pem"
extensions:
extendedKeyUsage: [serverAuth, clientAuth]
subjectAltName:
DNS:
- "localhost"
- "splithorizon1"
- "splithorizon2"
IP: 127.0.0.1
###
# Trusted CA
###
- name: "trusted-ca.pem"
description: CA for alternate client/server certificate chain.
Subject: {CN: "Trusted Kernel Test CA"}
Issuer: self
extensions:
basicConstraints: {CA: true}
subjectAltName:
DNS: localhost
IP: 127.0.0.1
# trusted-client.pfx created by mkspecial.sh
- name: "trusted-client.pem"
description: Client certificate for trusted chain.
Subject: {CN: "Trusted Kernel Test Client"}
Issuer: "trusted-ca.pem"
pkcs12:
passphrase: "qwerty"
name: "trusted-client.pfx"
extensions:
extendedKeyUsage: [clientAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
# trusted-server.pfx created by mkspecial.sh
- name: "trusted-server.pem"
description: Server certificate for trusted chain.
Subject: {CN: "Trusted Kernel Test Server"}
Issuer: "trusted-ca.pem"
pkcs12:
passphrase: "qwerty"
name: "trusted-server.pfx"
extensions:
extendedKeyUsage: [serverAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
# trusted-cluster-server.pfx created by mkspecial.sh
- name: "trusted-cluster-server.pem"
description: Server cluster certificate for trusted chain.
Subject: {CN: "Trusted Kernel Test Cluster Server"}
Issuer: "trusted-ca.pem"
pkcs12:
passphrase: "qwerty"
name: "trusted-cluster-server.pfx"
extensions:
extendedKeyUsage: [clientAuth, serverAuth]
subjectAltName:
DNS: localhost
IP: 127.0.0.1
- name: "trusted-client-testdb-roles.pem"
description: Client certificate with X509 role grants via trusted chain.
Subject: {OU: "Kernel Users", CN: "Trusted Kernel Test Client With Roles"}
Issuer: "trusted-ca.pem"
output_path: "jstests/ssl/x509/"
extensions:
mongoRoles:
- {role: role1, db: testDB}
- {role: role2, db: testDB}
# Both ca.pem and trusted-ca.pem
- name: "root-and-trusted-ca.pem"
description: Combined ca.pem and trusted-ca.pem
output_path: "jstests/ssl/x509/"
append_cert:
- "ca.pem"
- "trusted-ca.pem"
###
# ECDSA trees
###
# These three are all special cases handled internally by mkcert.py
- name: "ecdsa-ca.pem"
description: Root of ECDSA tree.
Issuer: self
tags: [ecdsa]
- name: "ecdsa-client.pem"
description: Client certificate for ECDSA tree.
Issuer: "ecdsa-ca.pem"
tags: [ecdsa]
- name: "ecdsa-server.pem"
description: Server certificate for ECDSA tree.
Issuer: "ecdsa-ca.pem"
tags: [ecdsa]
###
# ECDSA OCSP tree
###
- name: "ecdsa-ca-ocsp.pem"
description: Root of ECDSA tree for OCSP testing
Issuer: self
tags: [ecdsa]
- name: "ecdsa-server-ocsp.pem"
description: ECDSA server certificate w/OCSP
Issuer: "ecdsa-ca-ocsp.pem"
tags: [ecdsa, ocsp]
- name: "ecdsa-server-ocsp-mustStaple.pem"
description: ECDSA server certificate w/OCSP + must-staple
Issuer: "ecdsa-ca-ocsp.pem"
tags: [ecdsa, ocsp, must-staple]
- name: "ecdsa-ocsp-responder.crt"
description: ECDSA certificate and key for OCSP responder
Issuer: "ecdsa-ca-ocsp.pem"
tags: [ecdsa, ocsp, responder]
###
# Non-expiring chain
###
# The below certificates were generated once, and are intended to be permanent (non-renewable).
# Due to changes in OpenSSL and/or the pyOpenSSL library, the definition for client-custom-oids.pem
# will no longer work, as custom OIDs are no longer supported. These certificates were minted using
# pyOpenSSL=19.0.0, OpenSSL version 1.1.1, using the following definitions:
# - name: 'non-expiring-ca.pem'
# description: >-
# CA with an expiration date far into the future, used exclusively for testing client-custom-oids.pem.
# DO NOT regenerate this certificate or add any certificates to this certificate chain without
# consulting the Server Security team first.
# Subject: {CN: 'Kernel Test CA'}
# Issuer: self
# extensions:
# basicConstraints:
# critical: true
# CA: true
# not_after: 99999999999
#
# - name: 'client-custom-oids.pem'
# description: >-
# Client certificate using non-standard OIDs.
# DO NOT regenerate without consulting the Server Security team first.
# Issuer: 'non-expiring-ca.pem'
# Subject:
# OU: 'KernelUser'
# CN: 'client'
# '1.2.3.56': 'RandoValue'
# '1.2.3.45': 'Value,Rando'
# not_after: 99999999999
Reference in New Issue View Git Blame Copy Permalink