Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Script to create self-signed CA certificates, server certificates, and client certificates for testing MongoDB with SSL
#!/bin/sh
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/C=AU/ST=NSW/L=Sydney/O=MongoDB/OU=root/CN=`hostname -f`/emailAddress=kevinadi@mongodb.com"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=AU/ST=NSW/L=Sydney/O=MongoDB/OU=server/CN=`hostname -f`/emailAddress=kevinadi@mongodb.com"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "/C=AU/ST=NSW/L=Sydney/O=MongoDB/OU=client/CN=`hostname -f`/emailAddress=kevinadi@mongodb.com"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
# Create clientPFX file (for Java, C#, etc)
# openssl pkcs12 -inkey client.key -in client.crt -export -out client.pfx
# Start mongod with SSL
# mkdir -p data/db
# mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.crt --dbpath data/db --logpath data/mongod.log --fork
# Connect to mongod with SSL
# mongo --ssl --sslCAFile ca.crt --sslPEMKeyFile client.pem --host `hostname -f`
@ghost

This comment has been minimized.

Copy link

ghost commented Jun 14, 2019

This script answers many questions for me. Thanks so much for sharing it!

@MrMMorris

This comment has been minimized.

Copy link

MrMMorris commented Sep 8, 2019

where does the cert.pem come from in --sslPEMKeyFile cert.pem? Is it supposed to be server.pem?

@kevinadi

This comment has been minimized.

Copy link
Owner Author

kevinadi commented Sep 10, 2019

@MrMMorris yes it's supposed to be server.pem. Thanks for noticing this. I have updated the gist.

@usaamahahmed101

This comment has been minimized.

Copy link

usaamahahmed101 commented Sep 10, 2019

do you need to create the client file from where you want the client to connect from (i.e., app server)? or does it need to be created on the mongod server itself and copied over to the app server? What is the proper way for remote clients to connect?

Also - how would this work for a replica set?

@kevinadi

This comment has been minimized.

Copy link
Owner Author

kevinadi commented Sep 10, 2019

do you need to create the client file from where you want the client to connect from (i.e., app server)? or does it need to be created on the mongod server itself and copied over to the app server? What is the proper way for remote clients to connect?

Also - how would this work for a replica set?

It's up to you since this is for testing purposes only and the script only serves to illustrate how you can test MongoDB using SSL and how those mongod parameters are used. I don't recommend using the certificates here for actual production deployment without consulting a security expert.

For replica set, it's a separate thing altogether. See Use x.509 Certificate for Membership Authentication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.