Skip to content

Instantly share code, notes, and snippets.

@achesco
Last active April 22, 2025 12:17
Show Gist options
  • Save achesco/b7cf9c0c93186c4a7362fb4832c866c0 to your computer and use it in GitHub Desktop.
Save achesco/b7cf9c0c93186c4a7362fb4832c866c0 to your computer and use it in GitHub Desktop.
Generate self-signed SSL certificates for MongoDb server and client

CNs are important!!! -days 3650

Make PEM containig a public key certificate and its associated private key

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=localhost' -out mongodb-cert.crt -keyout mongodb-cert.key
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
cp mongodb-cert.crt mongodb-ca.crt

Edit /etc/mongod.conf, network interfaces section

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1
  ssl:
    mode: allowSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Check for startup config errors

sudo mongod --config /etc/mongod.conf

Restart mongo

sudo service mongod restart

Test-connect

mongo --ssl --sslAllowInvalidHostnames --sslCAFile mongodb-ca.crt --sslPEMKeyFile /etc/ssl/mongodb.pem

NodeJs, mongo connection options

{ 
	ssl: true,
	sslValidate: true,
	sslKey: fs.readFileSync('/etc/ssl/mongodb.pem'),
	sslCert: fs.readFileSync('/etc/ssl/mongodb-cert.crt'),
	sslCA: fs.readFileSync('/etc/ssl/mongodb-ca.crt')
}
@lukewest
Copy link

lukewest commented Jan 25, 2023

This was a lifesaver for me. Too many variables meant I couldnt get this to work even in a basic way.

  1. post 4.3 mongod.conf
net:
  port: 27017
  bindIp: 127.0.0.1
  tls:
    #mode: allowTLS
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt
  1. test connection
mongosh --tls --host localhost --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile mongodb-ca.crt

@todbapi
Copy link

todbapi commented Jun 3, 2024

Setting Up MongoDB 4.4.29 with TLS

1. Create a Public Key Certificate and Private Key

Generate a public key certificate and its associated private key using OpenSSL:

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

2. Create a PEM File

Combine the certificate and key into a single PEM file:

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

3. Copy Files to /etc/ssl

Move the generated certificate and PEM files to /etc/ssl:

sudo cp mongodb-cert.crt /etc/ssl
sudo cp mongodb.pem /etc/ssl

4. Edit the MongoDB Configuration

Open the MongoDB configuration file for editing:

sudo vim /etc/mongod.conf

Update the configuration to include the TLS/SSL settings:

net:
  port: 27017
  bindIp: localhost
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Test Connection

Test connection by mongosh

mongosh --tls --host localhost --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile /etc/ssl/mongodb-cert.crt

@guiyumin
Copy link

guiyumin commented Jul 18, 2024

I just realized that if you set tlsAllowInvalidCertificates to be true, and you don't need a ssl cert or pem.

@supersophie
Copy link

supersophie commented Jan 23, 2025

This does NOT work. I have been at this for three weeks.

# openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=EU/ST=Belgium/L=Brussels/O=Cat-dog/OU=Infrastructure/[email protected]/CN=xxxx.xx.xx -out mongodb.crt -keyout mongodb.key
.....+....+..+.+++++++++++++++++++++++++++++++++++++++*......+..........+...+.....+.+..+............+............+++++++++++++++++++++++++++++++++++++++*.........+.....+....+..+.+..+.............+...+......+...+.....+......+.+...+...................................+.......+.........+.....+.+........+.......+.....+......+....++++++
.....+......+...+.+..............+.+......+...+...+..+++++++++++++++++++++++++++++++++++++++*.+......+...+..+...................+...+..................+.....+...+....+++++++++++++++++++++++++++++++++++++++*...++++++
tls:
  mode: allowTLS
  certificateKeyFile: /etc/pki/tls/private/ mongodb.key
  CAFile: /etc/pki/tls/certs/mongodb.crt
# systemctl  restart mongod
{"t":{"$date":"2025-01-23T11:11:57.777+01:00"},"s":"I",  "c":"CONTROL",  "id":20698,   "ctx":"-","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2025-01-23T11:11:57.781+01:00"},"s":"E",  "c":"NETWORK",  "id":23248,   "ctx":"-","msg":"Cannot read certificate file","attr":{"keyFile":"/etc/pki/tls/private/mongodb.key","error":"error:0480006C:PEM routines::no start line"}}
{"t":{"$date":"2025-01-23T11:11:57.781+01:00"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"-","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}

@codersyacht
Copy link

codersyacht commented Apr 22, 2025

@todbapi @achesco
While using mongosh, you are passing both pem and crt. Why are we passing the file containing the private key? Should not the client use just the public key?
In my client application I only have provision to provide public key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment