Enable SSL Authentication

Generate ca.pem and server.pem

1. Create a new folder (preferable name, generate_certificate) on any location.
2. Open the Command Prompt as Administrator.
3. Copy the path of the folder and type the following command:

   cd <path till the directory>
   e.g. 
   cd C:\generate_certificate

4. Execute all the further commands for generation of certificate in this folder.

   

5. Ensure openssl is configured. To verify the same, type openssl version and press Enter. Openssl version will be displayed, verify the version, then proceed with further
6. Execute the command below:

   echo subjectAltName=IP:<hostname/ip> > san.txt
   for eg:
   echo subjectAltName=IP:10.1.x.x > san.txt

   Note:

   Change the CN below w.r.t to hostname of server

   openssl req -out ca.pem -new -x509 -days 3650 –subj "/C=IN/ST=UP/O=Organisation/CN=<10.x.x.x>/emailAddress=user@domain.com"

7. Upon execution of previous command, user will be asked to Enter PEM passphrase.
   Note:

   While entering password there won’t be an asterisk or cursor movement on command prompt.
8. Enter a passphrase and make sure to note it as it will be required in further steps.

   

9. Once the passphrase is entered, it is verified.
10. Please enter the same passphrase again and press Enter.

    

11. The following files will be generated in the folder created earlier:

    

12. The generated ca.pem and privkey.pem will be used in the generation of certificates for servers and client respectively.
13. Enter the command below to create the file file.srl:

    echo 00 > file.srl

14. Execute the command below to generate a file named server.key in the folder:

    openssl genrsa -out server.key 2048

15. Execute the command below to generate the server.req file in the folder. Before executing the command, please identify the server for which the server is to be generated. Enter the IP of the server for which certificate is to be generated in the CN field:

    openssl req -key server.key -new -out server.req -subj "/C=IN/ST=UP/O=Organisation/CN=<IP of server for which certificate is to be created>/emailAddress=user@domain.com"
    e.g. –
    openssl req -key server.key -new -out server.req -subj “/C=IN/ST=UP/O=Organisation/CN=10.1.1xx.6x/emailAddress=user@domain.com”

16. Execute the command below:

    openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.crt -days 3650 -extfile san.txt

17. Users will be prompted to enter the passphrase for privkey.pem that was created earlier. Enter the same passphrase to proceed.

    

18. Upon successful execution, server.crt files will be generated.
19. Enter the command below to concatenate server.key and server.crt

    type server.key server.crt > server.pem

20. Upon successful execution, server.pem will be generated.
21. Execute the command below. If the command execution is successful, OK message will be displayed.

    openssl verify -CAfile ca.pem server.pem

    

22. Refer to the below image to validate the files generated throughout the process:

    

23. Ensure to remember the server IP for which the server.pem was generated.

Generation of server.pem for multiple servers using same ca.pem

This section details the procedure to generate server.pem for multiple servers in case MongoDB is configured in High Availability. Repeat the steps mentioned below for generating server.pem for different server IPs part of the replica set.

1. Use the same ca.pem and privkey.pem that is used in generation of one of the server.pem and client.pem as mentioned in the previous section: Generate ca.pem and server.pem and Generate client.pem.
2. Create a new folder (preferably by the name, server_certificate).
3. Copy ca.pem, privkey.pem from the folder where server.pem, client.pem were generated.
4. Open the Command Prompt as Administrator. Change the current working directory to the new folder by executing the command below:

   cd <path till the directory>
    e.g. – cd C:\Server_certificate

5. Execute the following commands:

   echo subjectAltName=IP:<hostname/ip> > san.txt
    for eg:
    echo subjectAltName=IP:10.1.x.x > san.txt
    echo 00 > file.srl
    openssl genrsa -out server.key 2048

6. Execute the command below by changing the Server IP of the respective server in the CN field:

   openssl req -key server.key -new -out server.req -subj "/C=IN/ST=UP/O=Organisation/CN=10.1xx.xx.xx/emailAddress=user@domain.com"
    openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.crt -days 3650 -extfile san.txt

   Note:

   Enter passphrase

   type server.key server.crt > server.pem
    openssl verify -CAfile ca.pem server.pem

7. Repeat the procedure for server.pem generation for all the server’s part of the replica set from a single ca.pem file.

Generate client.pem

1. Before proceeding with this section, please ensure that the file ca.pem, privkey.pem have been generated. Also, the user should also have the pass phrase.
2. Use the same folder where server.pem and ca.pem were generated.
3. Open the Command Prompt as Administrator.
4. Copy the path of the folder and type the following command:

   cd <path till the directory that has ca.pem,privkey.pem of the server>
    e.g. –
    cd C:\generate_certificate

5. Execute all the further commands for generation of certificate in this folder. Please use the pass phrase created earlier during ca.pem, server.pem generation:

   echo 00 > file.srl
    openssl genrsa -out client.key 2048
    Note: Change the CN below w.r.t to hostname of server
    openssl req -key client.key -new -out client.req -subj "/C=IN/ST=UP/O=Organisation/CN=<10.x.0.0>/emailAddress=user@domain.com"
    openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.crt -days 3650 -extfile san.txt

   Note:

   Note: Enter passphrase

   type client.key client.crt > client.pem
    openssl verify -CAfile ca.pem client.pem

6. Upon successful execution, client.pem files will be generated in the folder.

   After the ca.pem, client.pem and server.pem are generated, copy these files, and paste them in the path below:

   <MongoDBMongoDB_installed_path>/MongoDB/Server/8.0/bin
   For e.g. - C:\Program Files\MongoDBMongoDB\Server\8.0\bin

   Note:

   server.pem generated for the respective servers should be placed in the same server.
7. Go to folder mongo/data/config, then open the file mongod.cfg and make the following changes.
   Note:

   Please preserve the space and indentations as shown in the screen shot below. Ensure that editing is done in notepad++.
   1. In the net header, edit the following:

      ssl:
      mode: allowSSL
      PEMKeyFile: C:\Program Files\MongoDBMongoDB\Server\8.0\bin\server.pem
      CAFile: C:\Program Files\MongoDBMongoDB\Server\8.0\bin\ca.pem

   

8. Save the file for changes to be reflected.
9. After making the changes in all the servers of the replica set, Restart the MongoDB services on all the servers.
10. Open Command Prompt as Administrator on all the servers and execute the command below:

    mongosh --tls --host <IP> --port <port> -u <username> -p <password> --authenticationDatabase "admin" --tlsCAFile "<path of ca.pem>" -- tlsCertificateKeyFile "<path of client.pem>"

11. Add the respective IP, port, path of the pem file in all the servers.

    for e.g. –
    mongosh --tls --host 10.x.x.x1 --port 27017 -u <username> -p <password> --authenticationDatabase "admin" --tlsCAFile "C:\Program Files\MongoDBMongoDB\Server\8.0\bin\ca.pem" --tlsCertificateKeyFile "C:\Program Files\MongoDB\Server\8.0\bin\client.pem"

    This will help in establishing the connection with MongoDB.

12. Execute the below commands in all the servers of the replica sets.

    MongoDBMongoDB Enterprise replicaTest:PRIMARY>db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } )
    MongoDBMongoDB Enterprise replicaTest:PRIMARY>db.adminCommand( { setParameter: 1, sslMode: "requireSSL" } )

13. Restart the MongoDB service on all the servers in the replica set.