Mongo DB – Configure a ReplicaSet to support TLS/SSL

Create the Root Certificate

The Root Certificate (aka CA File) will be used to sign and identify your certificate. To generate it, run the command.

Keep the root certificate and its key carefully; both will be used to sign your certificates, and the root certificate might be used by your client as well.

Generate the Certificate Requests and the Private Keys

When generating the Certificate Signing Request (aka CSR), input the exact hostname (or IP) of your node in the Common Name (aka CN) field. The other areas must have the same value.

Sign your Certificate Requests

Use the CA File (ca.pem) and its Private Key (ca. key) generated previously to sign each Certificate Request by running the commands.

Concat each Node Certificate with its key

Run the commands below to concat each Node Certificate with its key in one file (MongoDB requirement).

Deploy your ReplicaSet

We will assume that your pem files are located in your current folder and data/data1, data/data2, and data/data3.

Deploy your ReplicaSet for Mutual SSL / Mutual Trust

To force your client to provide a Client Certificate (Mutual SSL), you must add the CA File when running your instances.