Test a connection from MongoDB to the KMES Series 3 with the configured TLS certificates by using OpenSSL

to confirm that the mongodb client certificate enables a successful tls connection to the kmip port on the kmes series 3, you can use openssl the following instructions depend on whether you used an external ca or a ca on the kmes to issue the mongodb client certificate externally issued mongodb client certificate if you use an externally issued mongodb client certificate, you need to extract the client certificate and private key from the pkcs #12 file before connecting you must also get the external ca certificate chain that signed the mongodb client certificate and save it to a file the following instructions explain how to extract a signed certificate and private key from a pkcs #12 file and save them to their own files run the following command to extract the private key and signed certificate from the pkcs #12 file and save them in a single pem file called mongodb cert and privatekey pem note that the nodes flag specifies that the private key should not be encrypted openssl pkcs12 in mongodb p12 nodes out mongodb cert and privatekey pem after you have the mongodb cert and privatekey pem file, you can extract the signed certificate and private key into separate files by using the following commands openssl rsa in mongodb cert and privatekey pem out mongodb privatekey pem openssl x509 in mongodb cert and privatekey pem out mongodb signed cert pem now, run the following openssl command to test a connection to the kmip connection pair on the kmes series 3, replacing \<kmes ip> with the ip address of the kmes series 3 and adjusting the file names as necessary openssl s client connect \<kmes ip> 5696 cafile external ca chain pem cert mongodb signed cert pem key mongodb privatekey pem if the tls handshake is successful, then the certificates were correctly configured on the kmes series 3 kmes issued mongodb client certificate if you use a kmes issued mongodb client certificate, you need to extract the client certificate and private key from the pkcs #12 file before connecting you must also get the root ca certificate that signed the mongodb client certificate and save it to a file the following instructions explain how to extract a signed certificate and private key from a pkcs #12 file and save them to their own files run the following command to extract the private key and signed certificate from the pkcs #12 file and save them in a single pem file called mongodb cert and privatekey pem note that the nodes flag specifies that the private key should not be encrypted openssl pkcs12 in mongodb p12 nodes out mongodb cert and privatekey pem after you have the mongodb cert and privatekey pem file, you can extract the signed certificate and private key into separate files by using the following commands openssl rsa in mongodb cert and privatekey pem out mongodb privatekey pem openssl x509 in mongodb cert and privatekey pem out mongodb signed cert pem now, run the following openssl command to test a connection to the kmes series 3, replacing \<kmes ip> with the ip address of the kmes series 3 and adjusting the file names as necessary openssl s client connect \<kmes ip> 5696 cafile root ca cert pem cert mongodb signed cert pem key mongodb privatekey pem if the tls handshake is successful, then the certificates were correctly configured on the kmes series 3