Mongodb self-signed SSL certificates

Prerequisites

Install the OpenSSL toolkit. You can check if it is already installed using the following command:

$ openssl version
OpenSSL 0.9.8zh 14 Jan 2016

Creating a root CA certificate

1. Generate the root CA key. You will use this to sign all issued certificates.

   openssl genrsa -out rootCA.key 2048
   

2. Generate the self-signed root CA certificate, specifying the number of days (-days) the certificate is valid for:

   openssl req -x509 -new -nodes -key rootCA.key -days 365 -out rootCA.crt
   

3. Copy the root CA certificate to all machines that communicate with services using SSL certificates generated by this root certificate. Typically, you want to install this on all of the servers on your internal network.

Creating SSL certificates

After you have created the root CA certificate, you can use it to create SSL certificates for each MongoDB server.

1. Create a host key and certificate signing request (CSR) using the following command:

   openssl req -new -newkey rsa:2048 -keyout host.key -out host.csr
   

   When prompted for the Common Name (CN), use the fully qualified domain name (FQDN), hostname, or IP address of the machine where you are putting the host.csr file. For example, if you added the server to a replica set using rs.add('node1.beagles.com'), you would set the the Common Name to node1.beagles.com.
   The Common Name must match the value you use to connect to that machine. For example, if you use an IP address in the connection string but the SSL certificate is expecting node1.beagles.com, the mongod process cannot validate the SSL certificate.
   If you want use multiple values for the same server, you can add them using the Subject Alternative Name (SAN) field.
2. Create a signed SSL certificate using the root CA certificate and the previously generated key, specifying the number of days (-days) the certificate is valid for:

   openssl x509 -req -in host.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out host.pem -days 365
   

3. The SSL certificate is available in PEM format as host.pem. You can confirm its contents using the following command:

   openssl x509 -in host.pem -text
   

Distributing files

You can distribute public certificate files (*.crt) as required for validation purposes. In practice, you generally only need to share the root CA certificate (rootCA.crt), as server and client certificates are broadcast by their respective users.

The private key files (*.key) contain the secrets that provide security. Restrict distribution of these files, and never distribute a root CA key file. Server and client key files should exist only on the hosts that use them. For example, a server key file should only exist on the server that uses the associated certificate.

Important

By operating your own CA, you take on the responsibility of ensuring the secrecy of the CA key, along with managing the rest of the chain. Consider whether this responsibility outweighs the cost of purchasing third-party certificates.