How to secure MongoDB connection with your own certificate

2 minute read time.

Starting with Product update 9, you can secure MongoDB connection with a certificate and during installation of MongoDB, you have an option to use Simplified certificate installation (Self signed) or use your own existing certificate.

In this blog, I would like to discuss the steps that are needed to switch from Simplified certificate and how to secure the connection with your own existing certificate.

Before we start, please review the online help “ How to secure mongoDB access”

Also it would be a great idea to review the MongoDB tutorial "Use x.509 Certificates to Authenticate Clients"

In this example I have used a certificate generator on another server to generate a CA certificate file and server certificate file and a private key file and I am going to redo my SSL certificate for MongoDB connection with these certificates. So I have below files that I am going to use to secure MongoDB with.




So here are the steps.

  1. Launch the MongoDB installation.
  2. Follow the prompts to change the existing MongDB installation you have.
  3. Check mark Redo the ssl configuration.



  4. Select Use an existing certificate.



  5. Enter all the proper information here, which you need to supply the server certificate file and private key and CA certificate and passphrase if any.




  6. Click next and follow the prompts to finish the installation.
  7. After the above is done, in your MongoDB certificate directory you would have two files like below. 



  8. The above is the server certificate used by MongoDB , now we need to generate a client certificate to be used by Syracuse / Web server. In order to generate a client certificate, you would need to use OpenSSL, for more information on visit. OpenSSL .
  9. So first I am using, below command to generate a client.csr and client.key
    Note that the common name used must be different than the common name in the server certificate as it’s outlined in MongoDB tutorial.

    openssl req –newkey rsa:2048 –keyout client.key –out client-req.csr




  10. Above step creates a Client.key and client-req.csr
  11. Now use below command to create the client.crt ( note that you have to supply the cs.cacrt and ca.cakey )



  12. The above step creates a client.crt certificate file.
  13. Next, use below command to remove the encrypted key.



  14. Next use a copy statement, to merge the client-nokey.key and client.crt in a PEM file.



  15. With the above step you have a client.pem file.
  16. Copy client.pem and ca.cacrt file to your Syracuse MongoDb cert directory.

  17. Restart Syracuse service.

Conclusion: With the above steps to you can create a client certificate, and use it to secure the connection between Syracuse and MongoDB