Skip to content

Instantly share code, notes, and snippets.

@achesco

achesco/generate-mongo-ssl.md

Last active July 1, 2025 16:19
Show Gist options
  • Save achesco/b7cf9c0c93186c4a7362fb4832c866c0 to your computer and use it in GitHub Desktop.
Save achesco/b7cf9c0c93186c4a7362fb4832c866c0 to your computer and use it in GitHub Desktop.
Download ZIP
Generate self-signed SSL certificates for MongoDb server and client
Raw
generate-mongo-ssl.md

CNs are important!!! -days 3650

Make PEM containig a public key certificate and its associated private key

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=localhost' -out mongodb-cert.crt -keyout mongodb-cert.key
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
cp mongodb-cert.crt mongodb-ca.crt

Edit /etc/mongod.conf, network interfaces section

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1
  ssl:
    mode: allowSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Check for startup config errors

sudo mongod --config /etc/mongod.conf

Restart mongo

sudo service mongod restart

Test-connect

mongo --ssl --sslAllowInvalidHostnames --sslCAFile mongodb-ca.crt --sslPEMKeyFile /etc/ssl/mongodb.pem

NodeJs, mongo connection options

{ 
	ssl: true,
	sslValidate: true,
	sslKey: fs.readFileSync('/etc/ssl/mongodb.pem'),
	sslCert: fs.readFileSync('/etc/ssl/mongodb-cert.crt'),
	sslCA: fs.readFileSync('/etc/ssl/mongodb-ca.crt')
}
@todbapi
Copy link

todbapi commented Jun 3, 2024
edited
Loading

Setting Up MongoDB 4.4.29 with TLS

1. Create a Public Key Certificate and Private Key

Generate a public key certificate and its associated private key using OpenSSL:

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

2. Create a PEM File

Combine the certificate and key into a single PEM file:

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

3. Copy Files to /etc/ssl

Move the generated certificate and PEM files to /etc/ssl:

sudo cp mongodb-cert.crt /etc/ssl
sudo cp mongodb.pem /etc/ssl

4. Edit the MongoDB Configuration

Open the MongoDB configuration file for editing:

sudo vim /etc/mongod.conf

Update the configuration to include the TLS/SSL settings:

net:
  port: 27017
  bindIp: localhost
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Test Connection

Test connection by mongosh

mongosh --tls --host localhost --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile /etc/ssl/mongodb-cert.crt

@guiyumin
Copy link

guiyumin commented Jul 18, 2024
edited
Loading

I just realized that if you set tlsAllowInvalidCertificates to be true, and you don't need a ssl cert or pem.

@supersophie
Copy link

supersophie commented Jan 23, 2025
edited
Loading

This does NOT work. I have been at this for three weeks.

# openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=EU/ST=Belgium/L=Brussels/O=Cat-dog/OU=Infrastructure/[email protected]/CN=xxxx.xx.xx -out mongodb.crt -keyout mongodb.key
.....+....+..+.+++++++++++++++++++++++++++++++++++++++*......+..........+...+.....+.+..+............+............+++++++++++++++++++++++++++++++++++++++*.........+.....+....+..+.+..+.............+...+......+...+.....+......+.+...+...................................+.......+.........+.....+.+........+.......+.....+......+....++++++
.....+......+...+.+..............+.+......+...+...+..+++++++++++++++++++++++++++++++++++++++*.+......+...+..+...................+...+..................+.....+...+....+++++++++++++++++++++++++++++++++++++++*...++++++

tls:
  mode: allowTLS
  certificateKeyFile: /etc/pki/tls/private/ mongodb.key
  CAFile: /etc/pki/tls/certs/mongodb.crt

# systemctl  restart mongod
{"t":{"$date":"2025-01-23T11:11:57.777+01:00"},"s":"I",  "c":"CONTROL",  "id":20698,   "ctx":"-","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2025-01-23T11:11:57.781+01:00"},"s":"E",  "c":"NETWORK",  "id":23248,   "ctx":"-","msg":"Cannot read certificate file","attr":{"keyFile":"/etc/pki/tls/private/mongodb.key","error":"error:0480006C:PEM routines::no start line"}}
{"t":{"$date":"2025-01-23T11:11:57.781+01:00"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"-","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}

@codersyacht
Copy link

codersyacht commented Apr 22, 2025
edited
Loading

@todbapi @achesco
While using mongosh, you are passing both pem and crt. Why are we passing the file containing the private key? Should not the client use just the public key?
In my client application I only have provision to provide public key.

@lawyerj
Copy link

lawyerj commented Apr 30, 2025
edited
Loading

@supersophie If you're copying certificates into the combined file, make sure it starts like this "-----BEGIN" instead of "----BEGIN" (basically count the dashes to verify 5 as the count).

Also, wherever your socket file is stored...make sure its owned by mongodb instead of root

@guiyumin allowConnectionsWithoutCertificates: true ... seems to work instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment