PingIntelligence

Starting MongoDB with SSL

You can start MongoDB with SSL by using either a CA-signed or self-signed certificate.

About this task

To start MongoDB with SSL:

Steps

  1. Add a certificate.

    Choose from:

    • To add a CA-signed certificate, create a new PEM file by concatenating the certificate and its private key. Copy the resulting PEM file to the /opt/pingidentity/mongo/key/ directory created in step 1 in Installing MongoDB software.

      cat mongo-node-private-key mongo-node-certificate > /opt/pingidentity/mongo/key/mongodb.pem

    • To use a self-signed certificate, complete the following steps:

      1. Change directory to key directory:

        cd /opt/pingidentity/mongo/key

      2. Generate a self-signed certificate and key:

        openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

      3. Concatenate the certificate and the key:

        cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

  2. After either a CA-signed certificate or self-signed certificate has been added to the key directory, shut down MongoDB:

    # mongod --dbpath ./data --shutdown

  3. Restart MongoDB with the -tlsMode flag:

    mongod --auth --dbpath ./data/ --logpath ./logs/mongo.log --port 27017 --replSet absrs01 --fork --keyFile ./key/mongodb-keyfile -bind_ip 0.0.0.0 --tlsMode requireTLS --tlsCertificateKeyFile ./key/mongodb.pem

    The -tlsMode flag can take the following three values:

    • allowTLS

    • preferTLS

    • requireTLS

Next steps

Learn more in MongoDB documentation.