I want to enable SSL authentication on my MongoDB database both at the server and client level.
I obtained a certificate that is signed by my company CA, then created the PEM file as normal by contcatinating the certificate and private key. I did the same for both the server (mongod) and the client (mongo shell) —actually also for Compass client. This all worked just fine.
As a next step, I wanted to encrypt the certificate-key PEM file and use net.ssl.PEMKeyPassword option to start mongod. However, all my attempts so far failed 
.
Here what I tried:
- I tried to encrypt the whole PEM file => it complaiend from
Failed to find PEM blob header: -----BEGIN CERTIFICATE-----. - I tried to encrypt the private key alone (then add the result to the PEM file under
-----BEGIN RSA PRIVATE KEY-----) => It complained fromCryptDecodeObjectEx failed to get size of object: ASN1 bad tag value met. - I tried to replace
-----BEGIN RSA PRIVATE KEY-----with-----BEGIN ENCRYPTER PRIVATE KEY-----, it complained fromEncrypted private keys are not supported, use the Windows certificate store instead.
The encryption command I used is:
openssl rsa -aes256 -in .\mongodb.pem -out mongodb-s.pem
When all the above didn’t work, I suspected the encryption command and used another one:
openssl enc -aes-256-cbc -in .\mongodb.pem -out .\mongodb-s.pem
This one generated a file in a binary format. When I pointed net.ssl.PEMKeyFile to it, it again complained from Failed to find PEM blob header: -----BEGIN CERTIFICATE-----.
For the information, I’m using Windows 10 and starting Mongod v4.2 via Windows Services.