Obtain server certificates to enable TLS encryption for your self-managed MongoDB replica set deployments.
Important
These steps apply to self-managed MongoDB deployments. MongoDB Atlas clusters use TLS by default. If you use Cloud Manager or Ops Manager, configure TLS through your deployment management tool.
Before you Begin
Before you start, ensure you have the following information and resources:
You have a self-managed MongoDB replica set deployment that you want to secure with TLS.
You have at least one admin user enabled on your deployment to verify TLS connections in later tutorials. If you want to enable X.509 client authentication, the admin user must have at least the
userAdminrole to create and modify users in the$externaldatabase.You have a hostname for each node in your deployment, such as
mongo0.example.com,mongo1.example.com, andmongo2.example.com. If you are using a public CA, you must have a registered domain name that corresponds to these hostnames.You have OpenSSL installed on your machine.
If you are planning on using a public CA, such as Let's Encrypt or DigiCert, you know which public CA you are using. If you are planning on using a private CA, you have access to your organization's PKI information. The process for obtaining certificates might be different based on the CA you use. However, you must end with the same
.pemfiles described in the final result section of this tutorial.You have your preferred command line interface open.
You know your deployment TLS configuration requirements and whether your certificates need
clientAuthEKU based on the TLS Planning page.
Steps
This tutorial creates one certificate called mongo0.pem for the first node
in your deployment. When generating certificates for additional nodes, be specific
in your file names. For example, name the certificate for your first secondary node
mongo1.pem.
Final Result
At the end of this tutorial, you have the following .pem files
in /etc/ssl/mongodb:
For each node, you have a
.pemfile that contains the certificate and private key for that node, such asmongo0.pem,mongo1.pem, andmongo2.pem.For the deployment overall, you have the intermediate CA certificate that issued the certificates for each node, such as
ca.pem.
Next Steps
To learn how to configure TLS for your self-managed MongoDB deployment, continue to the next tutorial, Configure TLS for a Self-Managed Deployment.