Forked from mostafizpantheon/self-signed-ssl-mongo.sh
Created
October 25, 2021 15:20
-
-
Save csemrm/d569b0d88873564dfd6efbc47ff2bbf1 to your computer and use it in GitHub Desktop.
Self-signed SSL Certificate with OpenSSL on MacOS | MongoDB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openssl genrsa -out CAroot.key 2048 | |
openssl req -new -key CAroot.key -out CAroot.csr # CN should be different from the certificates below | |
openssl req -x509 -days 1825 -key CAroot.key -in CAroot.csr -out CAroot.crt | |
cat CAroot.crt CAroot.key > CAroot.pem | |
openssl genrsa -out mongod.key 2048 | |
openssl req -new -key mongod.key -out mongod.csr | |
openssl x509 -req -days 1825 -in mongod.csr -CA CAroot.pem -CAkey CAroot.key -CAcreateserial -out mongod.crt | |
cat mongod.crt mongod.key > mongod.pem | |
openssl genrsa -out client.key 2048 | |
openssl req -new -key client.key -out client.csr | |
openssl x509 -req -days 1825 -in client.csr -CA CAroot.pem -CAkey CAroot.key -CAcreateserial -out client.crt | |
cat client.crt client.key > client.pem | |
mongo --ssl --sslCAFile CAroot.pem --sslPEMKeyFile client.pem --authenticationDatabase production -u user -p password --host mongo.host --port 27018 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# install new OpenSSL | |
brew install openssl | |
# generate private key and enter pass phrase | |
openssl genrsa -des3 -out private_key.pem 2048 | |
# create certificate signing request, enter "*.example.com" as a "Common Name", leave "challenge password" blank | |
openssl req -new -sha256 -key private_key.pem -out server.csr | |
# generate self-signed certificate for 1 year | |
openssl req -x509 -sha256 -days 365 -key private_key.pem -in server.csr -out server.pem | |
# validate the certificate | |
openssl req -in server.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate doesn't work in 2017! You must update OpenSSL to generate a widely-compatible certificate" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment