Docs Menu
Docs Home
/ /
/ / /

Obtain TLS Server Certificates

Obtain server certificates to enable TLS encryption for your self-managed MongoDB replica set deployments.

Important

These steps apply to self-managed MongoDB deployments. MongoDB Atlas clusters use TLS by default. If you use Cloud Manager or Ops Manager, configure TLS through your deployment management tool.

Before you start, ensure you have the following information and resources:

  • You have a self-managed MongoDB replica set deployment that you want to secure with TLS.

  • You have at least one admin user enabled on your deployment to verify TLS connections in later tutorials. If you want to enable X.509 client authentication, the admin user must have at least the userAdmin role to create and modify users in the $external database.

  • You have a hostname for each node in your deployment, such as mongo0.example.com, mongo1.example.com, and mongo2.example.com. If you are using a public CA, you must have a registered domain name that corresponds to these hostnames.

  • You have OpenSSL installed on your machine.

  • If you are planning on using a public CA, such as Let's Encrypt or DigiCert, you know which public CA you are using. If you are planning on using a private CA, you have access to your organization's PKI information. The process for obtaining certificates might be different based on the CA you use. However, you must end with the same .pem files described in the final result section of this tutorial.

  • You have your preferred command line interface open.

  • You know your deployment TLS configuration requirements and whether your certificates need clientAuth EKU based on the TLS Planning page.

This tutorial creates one certificate called mongo0.pem for the first node in your deployment. When generating certificates for additional nodes, be specific in your file names. For example, name the certificate for your first secondary node mongo1.pem.

At the end of this tutorial, you have the following .pem files in /etc/ssl/mongodb:

  • For each node, you have a .pem file that contains the certificate and private key for that node, such as mongo0.pem, mongo1.pem, and mongo2.pem.

  • For the deployment overall, you have the intermediate CA certificate that issued the certificates for each node, such as ca.pem.

To learn how to configure TLS for your self-managed MongoDB deployment, continue to the next tutorial, Configure TLS for a Self-Managed Deployment.

Back

Plan Your Configuration

On this page