TLS Certificates and Secure Communication

How to generate TLS certificates for MongoDB server and client communication.

This page explains how to generate TLS certificates for secure communication in MongoDB deployments. It covers both server and client certificates, for use in TLS encryption only — not for mutual (X.509) authentication.

Prerequisites

OpenSSL installed
A working directory such as /tmp/mongo_tls
A custom Certificate Authority (CA) to sign certificates

1. Create a Certificate Authority (CA)

This CA will sign all server and client certificates.

mkdir -p /tmp/mongo_tls
cd /tmp/mongo_tls

# Generate CA key
openssl genrsa -out ca.key.pem 4096

# Generate CA certificate
openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 3650 -out ca.cert.pem -subj "/C=CH/L=Zurich/O=MongoCA/CN=mongodb.local.ca"

2. Generate a Server Certificate (for TLS communication)

This certificate is used by the MongoDB server to secure incoming connections.

# Create server private key
openssl genrsa -out server.key.pem 4096

# Create a certificate signing request (CSR)
openssl req -new -key server.key.pem -out server.csr.pem -subj "/C=CH/L=Zurich/O=MongoDB/CN=mongodb-server"

# Create an extensions file for server authentication
cat > server.ext <<EOF
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF

# Sign the server certificate with the CA
openssl x509 -req -in server.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256 -extfile server.ext -extensions v3_req

3. Generate a Client Certificate (for TLS communication)

This certificate allows clients (e.g. mongosh) to use encrypted communication.

# Create client private key
openssl genrsa -out client.key.pem 4096

# Create a certificate signing request (CSR)
openssl req -new -key client.key.pem -out client.csr.pem -subj "/C=CH/L=Zurich/O=MongoClient/CN=mongodb-client"

# Create an extensions file for client authentication
cat > client.ext <<EOF
[ v3_req ]
keyUsage = critical, digitalSignature
extendedKeyUsage = clientAuth
EOF

# Sign the client certificate with the CA
openssl x509 -req -in client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256 -extfile client.ext

4. Combine PEM Files

MongoDB expects the certificate and private key in the same file:

cat server.cert.pem server.key.pem > server.pem
cat client.cert.pem client.key.pem > client.pem

5. Change MongoDB configuration

Move the three files to the $MONGO_BASE/admin/$MONGO_INSTANCE/secret directory.

mv /tmp/mongo_tls/ca.cert.pem /u01/app/mongodb/admin/mdb01/secret
mv /tmp/mongo_tls/server.pem /u01/app/mongodb/admin/mdb01/secret
mv /tmp/mongo_tls/client.pem /u01/app/mongodb/admin/mdb01/secret

Add the net.tls section to your configuration file.

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /u01/app/mongodb/admin/mdb01/secret/server.pem
    CAFile: /u01/app/mongodb/admin/mdb01/secret/ca.cert.pem

mongosh connection:

mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=/u01/app/mongodb/admin/mdb01/secret/client.pem&tlsCAFile=/u01/app/mongodb/admin/mdb01/secret/ca.cert.pem"

Automated Script Example

tls_cert_generation.sh

#!/bin/bash

set -e

WORKDIR="/tmp/mongo_tls"
mkdir -p "$WORKDIR"
cd "$WORKDIR"

# 1. CA
openssl genrsa -out ca.key.pem 4096
openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 3650 -out ca.cert.pem -subj "/C=CH/L=Zurich/O=MongoCA/CN=mongodb.local.ca"

# 2. Server Certificate
openssl genrsa -out server.key.pem 4096
openssl req -new -key server.key.pem -out server.csr.pem -subj "/C=CH/L=Zurich/O=MongoDB/CN=mongodb-server"
cat > server.ext <<EOF
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF
openssl x509 -req -in server.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256 -extfile server.ext -extensions v3_req
cat server.cert.pem server.key.pem > server.pem

# 3. Client Certificate
openssl genrsa -out client.key.pem 4096
openssl req -new -key client.key.pem -out client.csr.pem -subj "/C=CH/L=Zurich/O=MongoClient/CN=mongodb-client"
cat > client.ext <<EOF
[ v3_req ]
keyUsage = critical, digitalSignature
extendedKeyUsage = clientAuth
EOF
openssl x509 -req -in client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256 -extfile client.ext
cat client.cert.pem client.key.pem > client.pem

echo "Certificates generated in: $WORKDIR"

PreviousAuthentication and Access Control NextInstalling Instances for a Replica Set

Last updated 3 months ago

hashtagPrerequisites

hashtag1. Create a Certificate Authority (CA)

hashtag2. Generate a Server Certificate (for TLS communication)

hashtag3. Generate a Client Certificate (for TLS communication)

hashtag4. Combine PEM Files

hashtag5. Change MongoDB configuration

hashtagAutomated Script Example