Last active
          October 5, 2025 05:48 
        
      - 
      
- 
        Save exAspArk/f738f0771e2675e7f4c3b5d11403efd8 to your computer and use it in GitHub Desktop. 
    Self-signed SSL Certificate with OpenSSL on MacOS | MongoDB
  
        
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | openssl genrsa -out CAroot.key 2048 | |
| openssl req -new -key CAroot.key -out CAroot.csr # CN should be different from the certificates below | |
| openssl req -x509 -days 1825 -key CAroot.key -in CAroot.csr -out CAroot.crt | |
| cat CAroot.crt CAroot.key > CAroot.pem | |
| openssl genrsa -out mongod.key 2048 | |
| openssl req -new -key mongod.key -out mongod.csr | |
| openssl x509 -req -days 1825 -in mongod.csr -CA CAroot.pem -CAkey CAroot.key -CAcreateserial -out mongod.crt | |
| cat mongod.crt mongod.key > mongod.pem | |
| openssl genrsa -out client.key 2048 | |
| openssl req -new -key client.key -out client.csr | |
| openssl x509 -req -days 1825 -in client.csr -CA CAroot.pem -CAkey CAroot.key -CAcreateserial -out client.crt | |
| cat client.crt client.key > client.pem | |
| mongo --ssl --sslCAFile CAroot.pem --sslPEMKeyFile client.pem --authenticationDatabase production -u user -p password --host mongo.host --port 27018 | 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | # install new OpenSSL | |
| brew install openssl | |
| # generate private key and enter pass phrase | |
| openssl genrsa -des3 -out private_key.pem 2048 | |
| # create certificate signing request, enter "*.example.com" as a "Common Name", leave "challenge password" blank | |
| openssl req -new -sha256 -key private_key.pem -out server.csr | |
| # generate self-signed certificate for 1 year | |
| openssl req -x509 -sha256 -days 365 -key private_key.pem -in server.csr -out server.pem | |
| # validate the certificate | |
| openssl req -in server.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate doesn't work in 2017! You must update OpenSSL to generate a widely-compatible certificate" | 
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment