TLS connection to Windows Server hosted MongoDB

Ops and Admin Installation & Upgrades
, ,
1

What do I need to do to connect from a Windows 10 box to the server without having to give the user’s the private key of the server?

I have MongoDB 4.4.8.0 on a Windows Server 2016 server. I have a signed certificate for the server, a .p12 file that I installed in Windows. The only way I can seem to connect with TLS from a Windows 10 machine to the MongoDB hosted on the server is if I use the server’s private key that was exported as a .pem file to remove the password. This is not a secure solution.

Config file for the DB is:

net:
  port: 27017
   bindIp:  *ipaddress*  , *server FQDN*
   tls:
       mode: requireTLS
       certificateSelector: subject=*server FQDN*

There are no errors when the server starts

I can connect to the server with TLS from a Windows 10 box using the following command:

mongo.exe mongosh --tls --host server FQDN --tlsCertificateKeyFile c:\temp\cert.pem

In the server log file it shows “Client connecting with server’s own TLS certificate”

Any help would be greatly appreciated. I feel that the Mongo Installation Manual is a bit too vague on how to get this working properly.

3

Is there anyone that can help with this? It seems like it should be a simple setup to connect from Win10 to Server 2016 with TLS (without having to share the server’s private key).

4

Hi @Jon_Bryan and welcome to the forums,

I assumed that are you utilising a self-signed certificate. If so, you should create a root Certificate Authority (CA) file that you use to generate both the server and client pem files. You only need to share the root CA certificate.

For an example:

// server
mongod --bind_ip <IPs> --tlsMode requireTLS --tlsCertificateKeyFile server.pem --tlsCAFile rootCA.crt

// client
mongo <URI> --tls --tlsCertificateKeyFile client.pem --tlsCAFile rootCA.crt

Please see also:

Regards,
Wan.

2 Likes
6

HI @wan,

Thanks for the reply. I am using CA signed certificates. Does this make a difference in process from the self signed certs? I tried generating PEM files for the root CA using the server’s cert (a PCSK#12 cert) using OpenSSL, but it would not recognize that PEM as valid. Do I needed a CA signed certificate for the client as well since there is the client.pem file in the command to connect?

To clarify, since I’m running this on a Windows server I’m using this option for the certificate to start the mongod service.

From the Configure mongod and mongos for TLS page

Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.tls.certificateSelector instead of specifying the certificate key file.

This appears to work properly as I can connect to the server, but only using the server’s private key from the Windows 10 client.

7

Hi @Jon_Bryan,

Potentially, depending on what you are trying to do and what you have from the trusted CA.

Depends on what you’re trying to do. For example if you would like to Connect to MongoDB instance using encryption TLS options i.e. the server to identify itself, then you could just provide --tlsCAFile parameter in the client (or specify --tlsCertificateSelector to use system store instead of specifying the file) . i.e.

mongosh --tls --host hostname.example.com --tlsCAFile /etc/ssl/caToValidateServerCertificates.pem

Alternatively, if you would like to Connect to MongoDB instance that requires client certificates TLS options i.e. require clients to also authenticate with a certificate issued by CA, then you need to create a client certificate that’s signed as well.

With PKI system you don’t provide one instance’s private key to other instances.

If you’re setting this up for a production purpose, I’d recommend to either get a help from a security consultant, or deploy your database a managed cluster. i.e. MongoDB Atlas - Please see also Atlas Security.

Regards,
Wan.

1 Like