TLS Certificates and Secure Communication
How to generate TLS certificates for MongoDB server and client communication.
This page explains how to generate TLS certificates for secure communication in MongoDB deployments. It covers both server and client certificates, for use in TLS encryption only — not for mutual (X.509) authentication.
Prerequisites
OpenSSL installed
A working directory such as
/tmp/mongo_tlsA custom Certificate Authority (CA) to sign certificates
1. Create a Certificate Authority (CA)
This CA will sign all server and client certificates.
mkdir -p /tmp/mongo_tls
cd /tmp/mongo_tls
# Generate CA key
openssl genrsa -out ca.key.pem 4096
# Generate CA certificate
openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 3650 -out ca.cert.pem -subj "/C=CH/L=Zurich/O=MongoCA/CN=mongodb.local.ca"2. Generate a Server Certificate (for TLS communication)
This certificate is used by the MongoDB server to secure incoming connections.
# Create server private key
openssl genrsa -out server.key.pem 4096
# Create a certificate signing request (CSR)
openssl req -new -key server.key.pem -out server.csr.pem -subj "/C=CH/L=Zurich/O=MongoDB/CN=mongodb-server"
# Create an extensions file for server authentication
cat > server.ext <<EOF
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF
# Sign the server certificate with the CA
openssl x509 -req -in server.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256 -extfile server.ext -extensions v3_req3. Generate a Client Certificate (for TLS communication)
This certificate allows clients (e.g. mongosh) to use encrypted communication.
# Create client private key
openssl genrsa -out client.key.pem 4096
# Create a certificate signing request (CSR)
openssl req -new -key client.key.pem -out client.csr.pem -subj "/C=CH/L=Zurich/O=MongoClient/CN=mongodb-client"
# Create an extensions file for client authentication
cat > client.ext <<EOF
[ v3_req ]
keyUsage = critical, digitalSignature
extendedKeyUsage = clientAuth
EOF
# Sign the client certificate with the CA
openssl x509 -req -in client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256 -extfile client.ext4. Combine PEM Files
MongoDB expects the certificate and private key in the same file:
cat server.cert.pem server.key.pem > server.pem
cat client.cert.pem client.key.pem > client.pem5. Change MongoDB configuration
Move the three files to the $MONGO_BASE/admin/$MONGO_INSTANCE/secret directory.
mv /tmp/mongo_tls/ca.cert.pem /u01/app/mongodb/admin/mdb01/secret
mv /tmp/mongo_tls/server.pem /u01/app/mongodb/admin/mdb01/secret
mv /tmp/mongo_tls/client.pem /u01/app/mongodb/admin/mdb01/secretAdd the net.tls section to your configuration file.
net:
tls:
mode: requireTLS
certificateKeyFile: /u01/app/mongodb/admin/mdb01/secret/server.pem
CAFile: /u01/app/mongodb/admin/mdb01/secret/ca.cert.pemmongosh connection:
mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=/u01/app/mongodb/admin/mdb01/secret/client.pem&tlsCAFile=/u01/app/mongodb/admin/mdb01/secret/ca.cert.pem"Automated Script Example
#!/bin/bash
set -e
WORKDIR="/tmp/mongo_tls"
mkdir -p "$WORKDIR"
cd "$WORKDIR"
# 1. CA
openssl genrsa -out ca.key.pem 4096
openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 3650 -out ca.cert.pem -subj "/C=CH/L=Zurich/O=MongoCA/CN=mongodb.local.ca"
# 2. Server Certificate
openssl genrsa -out server.key.pem 4096
openssl req -new -key server.key.pem -out server.csr.pem -subj "/C=CH/L=Zurich/O=MongoDB/CN=mongodb-server"
cat > server.ext <<EOF
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF
openssl x509 -req -in server.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256 -extfile server.ext -extensions v3_req
cat server.cert.pem server.key.pem > server.pem
# 3. Client Certificate
openssl genrsa -out client.key.pem 4096
openssl req -new -key client.key.pem -out client.csr.pem -subj "/C=CH/L=Zurich/O=MongoClient/CN=mongodb-client"
cat > client.ext <<EOF
[ v3_req ]
keyUsage = critical, digitalSignature
extendedKeyUsage = clientAuth
EOF
openssl x509 -req -in client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256 -extfile client.ext
cat client.cert.pem client.key.pem > client.pem
echo "Certificates generated in: $WORKDIR"Last updated