Skip to main content
To confirm that the MongoDB client certificate enables a successful TLS connection to the KMIP port on the KMES Series 3, you can use OpenSSL. The following instructions depend on whether you used an external CA or a CA on the KMES to issue the MongoDB client certificate.

Externally-issued MongoDB client certificate

If you use an externally-issued MongoDB client certificate, you must extract the client certificate and private key from the PKCS #12 file before connecting. You must also get the external CA certificate chain that signed the MongoDB client certificate and save it to a file. The following instructions explain how to extract a signed certificate and private key from a PKCS #12 file and save them to their own files:
1
Run the following command to extract the private key and signed certificate from the PKCS #12 file and save them in a single PEM file called mongodb_cert_and_privatekey.pem. Note that the -nodes flag specifies that the private key should not be encrypted.
Shell
openssl pkcs12 -in mongodb.p12 -nodes -out mongodb-cert-and-privatekey.pem
2
After you have the mongodb_cert_and_privatekey.pem file, you can extract the signed certificate and private key into separate files by using the following commands:
Shell
openssl rsa -in mongodb-cert-and-privatekey.pem -out mongodb-privatekey.pem
openssl x509 -in mongodb-cert-and-privatekey.pem -out mongodb-signed-cert.pem
3
Now, run the following OpenSSL command to test a connection to the KMIP connection pair on the KMES Series 3, replacing <KMES-IP> with the IP address of the KMES and adjusting the file names as necessary:
Shell
openssl s_client -connect <KMES-IP>:5696 -CAfile external-ca-chain.pem -cert mongodb-signed-cert.pem -key mongodb-privatekey.pem
If the TLS handshake is successful, then the certificates were correctly configured on the KMES Series 3.

KMES-issued MongoDB client certificate

If you use a KMES-issued MongoDB client certificate, you must extract the client certificate and private key from the PKCS #12 file before connecting. You must also get the root CA certificate that signed the MongoDB client certificate and save it to a file. The following instructions explain how to extract a signed certificate and private key from a PKCS #12 file and save them to their own files:
1
Run the following command to extract the private key and signed certificate from the PKCS #12 file and save them in a single PEM file called mongodb_cert_and_privatekey.pem. Note that the -nodes flag specifies that the private key should not be encrypted.
Shell
openssl pkcs12 -in mongodb.p12 -nodes -out mongodb-cert-and-privatekey.pem
2
After you have the mongodb_cert_and_privatekey.pem file, you can extract the signed certificate and private key into separate files by using the following commands:
Shell
openssl rsa -in mongodb-cert-and-privatekey.pem -out mongodb-privatekey.pem
openssl x509 -in mongodb-cert-and-privatekey.pem -out mongodb-signed-cert.pem
3
Now, run the following OpenSSL command to test a connection to the KMES Series 3, replacing <KMES-IP> with the IP address of the KMES and adjusting the file names as necessary:
Shell
openssl s_client -connect <KMES-IP>:5696 -CAfile root-ca-cert.pem -cert mongodb-signed-cert.pem -key mongodb-privatekey.pem
If the TLS handshake is successful, then the certificates were correctly configured on the KMES Series 3.