siddhantprateek/generate-mongo-ssl.md

Forked from achesco/generate-mongo-ssl.md

Created May 31, 2024 15:57

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/siddhantprateek/a80b8ee13678bc14e9c93c4eefa14bd9.js"></script>
Save siddhantprateek/a80b8ee13678bc14e9c93c4eefa14bd9 to your computer and use it in GitHub Desktop.

Download ZIP

Generate self-signed SSL certificates for MongoDb server and client

Raw

generate-mongo-ssl.md

CNs are important!!! -days 3650

Make PEM containig a public key certificate and its associated private key

openssl req -newkey rsa:2048 -new -x509 -days 3650 -nodes -subj '/C=US/ST=Massachusetts/L=Bedford/O=Personal/OU=Personal/[email protected]/CN=localhost' -out mongodb-cert.crt -keyout mongodb-cert.key

cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

cp mongodb-cert.crt mongodb-ca.crt

Edit /etc/mongod.conf, network interfaces section

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1
  ssl:
    mode: allowSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/mongodb-cert.crt

Check for startup config errors

sudo mongod --config /etc/mongod.conf

Restart mongo

sudo service mongod restart

Test-connect

mongo --ssl --sslAllowInvalidHostnames --sslCAFile mongodb-ca.crt --sslPEMKeyFile /etc/ssl/mongodb.pem

NodeJs, mongo connection options

{ 
	ssl: true,
	sslValidate: true,
	sslKey: fs.readFileSync('/etc/ssl/mongodb.pem'),
	sslCert: fs.readFileSync('/etc/ssl/mongodb-cert.crt'),
	sslCA: fs.readFileSync('/etc/ssl/mongodb-ca.crt')
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment