Skip to content

Instantly share code, notes, and snippets.

@achesco

achesco/generate-mongo-ssl.md

Last active July 1, 2025 16:19
Show Gist options
  • Save achesco/b7cf9c0c93186c4a7362fb4832c866c0 to your computer and use it in GitHub Desktop.
Save achesco/b7cf9c0c93186c4a7362fb4832c866c0 to your computer and use it in GitHub Desktop.
Download ZIP
Generate self-signed SSL certificates for MongoDb server and client
Raw
generate-mongo-ssl.md

CNs are important!!! -days 3650

Make PEM containig a public key certificate and its associated private key

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=localhost' -out mongodb-cert.crt -keyout mongodb-cert.key
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
cp mongodb-cert.crt mongodb-ca.crt

Edit /etc/mongod.conf, network interfaces section

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1
  ssl:
    mode: allowSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Check for startup config errors

sudo mongod --config /etc/mongod.conf

Restart mongo

sudo service mongod restart

Test-connect

mongo --ssl --sslAllowInvalidHostnames --sslCAFile mongodb-ca.crt --sslPEMKeyFile /etc/ssl/mongodb.pem

NodeJs, mongo connection options

{ 
	ssl: true,
	sslValidate: true,
	sslKey: fs.readFileSync('/etc/ssl/mongodb.pem'),
	sslCert: fs.readFileSync('/etc/ssl/mongodb-cert.crt'),
	sslCA: fs.readFileSync('/etc/ssl/mongodb-ca.crt')
}
@codersyacht
Copy link

codersyacht commented Apr 22, 2025
edited
Loading

@todbapi @achesco
While using mongosh, you are passing both pem and crt. Why are we passing the file containing the private key? Should not the client use just the public key?
In my client application I only have provision to provide public key.

@lawyerj
Copy link

lawyerj commented Apr 30, 2025
edited
Loading

@supersophie If you're copying certificates into the combined file, make sure it starts like this "-----BEGIN" instead of "----BEGIN" (basically count the dashes to verify 5 as the count).

Also, wherever your socket file is stored...make sure its owned by mongodb instead of root

@guiyumin allowConnectionsWithoutCertificates: true ... seems to work instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment