The Root Certificate (aka CA File) will be used to sign and identify your certificate. To generate it, run the command.
Keep the root certificate and its key carefully; both will be used to sign your certificates, and the root certificate might be used by your client as well.
When generating the Certificate Signing Request (aka CSR), input the exact hostname (or IP) of your node in the Common Name (aka CN) field. The other areas must have the same value.
Use the CA File (ca.pem) and its Private Key (ca. key) generated previously to sign each Certificate Request by running the commands.
Run the commands below to concat each Node Certificate with its key in one file (MongoDB requirement).
We will assume that your pem files are located in your current folder and data/data1, data/data2, and data/data3.
Deploy your ReplicaSet for Mutual SSL / Mutual Trust
To force your client to provide a Client Certificate (Mutual SSL), you must add the CA File when running your instances.