Test a connection from MongoDB to the KMES Series 3 with the configured TLS certificates by using OpenSSL

3min
To confirm that the MongoDB client certificate enables a successful TLS connection to the KMIP port on the KMES Series 3, you can use OpenSSL. The following instructions depend on whether you used an external CA or a CA on the KMES to issue the MongoDB client certificate.
Externally-issued MongoDB client certificate
If you use an externally-issued MongoDB client certificate, you need to extract the client certificate and private key from the PKCS #12 file before connecting. You must also get the external CA certificate chain that signed the MongoDB client certificate and save it to a file.
The following instructions explain how to extract a signed certificate and private key from a PKCS #12 file and save them to their own files:
1
Run the following command to extract the private key and signed certificate from the PKCS #12 file and save them in a single PEM file called mongodb_cert_and_privatekey.pem. Note that the -nodes flag specifies that the private key should not be encrypted.
Shell
openssl pkcs12 -in mongodb.p12 -nodes -out mongodb-cert-and-privatekey.pem
openssl pkcs12 -in mongodb.p12 -nodes -out mongodb-cert-and-privatekey.pem
﻿
2
After you have the mongodb_cert_and_privatekey.pem file, you can extract the signed certificate and private key into separate files by using the following commands:
Shell
openssl rsa -in mongodb-cert-and-privatekey.pem -out mongodb-privatekey.pem
openssl x509 -in mongodb-cert-and-privatekey.pem -out mongodb-signed-cert.pem
openssl rsa -in mongodb-cert-and-privatekey.pem -out mongodb-privatekey.pem
openssl x509 -in mongodb-cert-and-privatekey.pem -out mongodb-signed-cert.pem
﻿
3
Now, run the following OpenSSL command to test a connection to the KMIP connection pair on the KMES Series 3, replacing <KMES-IP> with the IP address of the KMES Series 3 and adjusting the file names as necessary:
Shell
openssl s_client -connect <KMES-IP>:5696 -CAfile external-ca-chain.pem -cert mongodb-signed-cert.pem -key mongodb-privatekey.pem
openssl s_client -connect <KMES-IP>:5696 -CAfile external-ca-chain.pem -cert mongodb-signed-cert.pem -key mongodb-privatekey.pem
﻿
If the TLS handshake is successful, then the certificates were correctly configured on the KMES Series 3.
KMES-issued MongoDB client certificate
If you use a KMES-issued MongoDB client certificate, you need to extract the client certificate and private key from the PKCS #12 file before connecting. You must also get the root CA certificate that signed the MongoDB client certificate and save it to a file.
The following instructions explain how to extract a signed certificate and private key from a PKCS #12 file and save them to their own files:
1
Run the following command to extract the private key and signed certificate from the PKCS #12 file and save them in a single PEM file called mongodb_cert_and_privatekey.pem. Note that the -nodes flag specifies that the private key should not be encrypted.
Shell
openssl pkcs12 -in mongodb.p12 -nodes -out mongodb-cert-and-privatekey.pem
openssl pkcs12 -in mongodb.p12 -nodes -out mongodb-cert-and-privatekey.pem
﻿
2
After you have the mongodb_cert_and_privatekey.pem file, you can extract the signed certificate and private key into separate files by  using the following commands:
Shell
openssl rsa -in mongodb-cert-and-privatekey.pem -out mongodb-privatekey.pem
openssl x509 -in mongodb-cert-and-privatekey.pem -out mongodb-signed-cert.pem
openssl rsa -in mongodb-cert-and-privatekey.pem -out mongodb-privatekey.pem
openssl x509 -in mongodb-cert-and-privatekey.pem -out mongodb-signed-cert.pem
﻿
3
Now, run the following OpenSSL command to test a connection to the KMES Series 3, replacing <KMES-IP> with the IP address of the KMES Series 3 and adjusting the file names as necessary:
Shell
openssl s_client -connect <KMES-IP>:5696 -CAfile root-ca-cert.pem -cert mongodb-signed-cert.pem -key mongodb-privatekey.pem
openssl s_client -connect <KMES-IP>:5696 -CAfile root-ca-cert.pem -cert mongodb-signed-cert.pem -key mongodb-privatekey.pem
﻿
If the TLS handshake is successful, then the certificates were correctly configured on the KMES Series 3.
﻿
Updated 21 Feb 2024
Did this page help you?
Configure KMES Series 3
Configure encryption in MongoDB