Secure your MongoDB connections - SSL/TLS

We will learn to make secure connection between server and client by creating your own SSL CA (Certificate Authority)

Rajan Maharjan
5 min readJun 15, 2017

What we will cover ?

  1. MongoDB Installation
  2. Creating own SSL CA to dump our self-signed certificate
  3. Enabling TLS on a self-hosted or self-managed MongoDB server
  4. Using SSL/TLS with the mongo shell
  5. Using SSL/TLS with Robomongo

Note:

This tutorial works for Linux paltforms: (Ubuntu / MacOS)

1. MongoDB Installation

You can follow the official guideline for installation.

2. Creating own SSL CA to dump our self-signed certificate

We will be using OpenSSL to create own private certificate authority.

The process for creating your own certificate authority is pretty straight forward:

  1. Create a private key
  2. Self-sign
  3. Install root CA on your various workstations

Once you do that, every device that you manage via HTTPS just needs to have its own certificate created with the following steps:

  1. Create CSR for client
  2. Sign CSR with root CA key

Creating the root certificate is easy and can be done quickly. Once you do these steps, you’ll end up with a root SSL certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various devices.

The first step is to create the private root key which only takes one step. In the example below, I’m creating a 2048 bit key:

openssl genrsa -out rootCA.key 2048

Important note: Keep this private key very private. This is the basis of all trust for your certificates, and if someone gets a hold of it, they can generate certificates that your browser will accept. You can also create a key that is password protected by adding -des3:

openssl genrsa -des3 -out rootCA.key 2048

The next step is to self-sign this certificate.

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Portland
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Data Center Overlords
Email Address []:none@none.com

Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. The interesting thing about traditional certificate authorities is that root certificate is also self-signed. But before you can start your own certificate authority, remember the trick is getting those certs in every browser in the entire world.

Create A Certificate (Done Once Per Device)

Every device that you wish to install a trusted certificate will need to go through this process. First, just like with the root CA step, you’ll need to create a private key (different from the root CA).

openssl genrsa -out mongodb.key 2048

Once the key is created, you’ll generate the certificate signing request.

openssl req -new -key mongodb.key -out mongodb.csr

You’ll be asked various questions (Country, State/Province, etc.). Answer them how you see fit. The important question to answer though is common-name.

Common Name (eg, YOUR name) []: 10.0.0.1

Whatever you see in the address field in your browser when you go to your device must be what you put under common name, even if it’s an IP address. Yes, even an IP (IPv4 or IPv6) address works under common name. If it doesn’t match, even a properly signed certificate will not validate correctly and you’ll get the “cannot verify authenticity” error. Once that’s done, you’ll sign the CSR, which requires the CA root key.

openssl x509 -req -in mongodb.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256

This creates a signed certificate called device.crt which is valid for 500 days (you can adjust the number of days of course, although it doesn’t make sense to have a certificate that lasts longer than the root certificate).

Create .pem file;

cat mongodb.key mongodb.crt > mongodb.pem

For more details : Creating-your-own-ssl-certificate-authority

3. Enabling TLS on a self-hosted or self-managed MongoDB server

Open /etc/mongod.conf with your favorite code editor and make sure it contains the following lines:

net:
port:27017
bindIp: 127.0.0.1
ssl:
mode: requireSSL
PEMKeyFile: <route-to-cert-file>
CAFile: <route-to-ca-file>

If you can’t find mongod.conf or it is named mongodb.conf instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.)

Please replace <route-to-cert-file> with the route of the .pem file that contains the signed SSL certificate and key., e.g.: /etc/ssl/mongodb.pem .

Also replace <route-to-ca-file> with the route of the .pem file that contains the root certificate chain from the Certificate Authority, e.g.: /etc/ssl/ca.pem .

Now you are ready to save the configuration file and restart mongod:

$ sudo service mongodb restart
[ ok ] Restarting database: mongod.

IMPORTANT: Please keep reading this guide in order to know how to configure TLS in mongo client and the official drivers.

Using TLS with the mongo shell

Remember that from now on, to connect to your MongoDB server using the mongo client, you will need to specify some additional flags:

$ mongo --ssl --sslCAFile /etc/ssl/ca.pem --sslPEMKeyFile /etc/ssl/client.pem --host host.example.com
  • --ssl enables TLS channel encryption.
  • --sslPEMKeyFile is the path to the client certificate — which needs to be signed by the server certificate.
  • --sslCAFile is the path to the root certificate of the Certification Authority (CA) that signed the server certificate. From MongoDB 3.2.6, this parameter is optional, and if not specified, the client will check the certificate against the system CA store.
  • --host (optional) verifies that the hostname of the server matches the one in the certificate it presents.

For more details : How to Enable TLS/SSL on MongoDB

4. Using SSL/TLS with Robomongo

Robomongo announced the new Robomongo with SSL support:
Robomongo 0.9.0 RC10!

Here is the link for details: Robomongo RC10 brings support to SSL

If you have queries you can leave the comment. I’ll reach back to you as soon as possible.

Thanks for reading this and please recommend this if you liked.

--

--

Responses (5)