Self signed certificate for replica set

174 views
Skip to first unread message

Martin Aceto

unread,
May 14, 2016, 1:09:08 AM5/14/16
to mongod...@googlegroups.com
Hello,

I'm trying to setup SSL on my replica set, I'm creating the CA with the command

openssl req -newkey rsa:2048 -new -x509 -days 36500 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key

Environment:

* MongoDB 3.2.6
* Ubuntu 14.04

My replica set have 3 servers

That's the correct way to create the CA ?

Thanks
Martin

Wan Bachtiar

unread,
May 23, 2016, 10:11:47 PM5/23/16
to mongodb-user

That’s the correct way to create the CA ?

Hi Martin,

That is one way of generating a self signed Certificate Authority. “Correct” in this case would be depending on your security requirements. For example, if you require encryption on the output key then you should remove the -nodes option. etc.

Worth mentioning that you could also verify the .pem before using them. For example: 

openssl verify -CAfile mongodb-cert.crt client.pem;

An extra note for production use, your MongoDB deployment should use valid certificates generated and signed by a single certificate authority. If you use a self-signed certificate, although the communications channel will be encrypted, there will be no validation of server identity. Using a certificate signed by a trusted certificate authority will permit MongoDB drivers to verify the server’s identity. In general, avoid using self-signed certificates unless the network is trusted.

Other related links that you may find useful:

If you have further questions regarding TLS/SSL itself i.e. options/ciphers, you may get a faster response by posting a question on ServerFault or Security StackExchange.

Kind regards,

Wan.

Martin Aceto

unread,
May 23, 2016, 11:03:06 PM5/23/16
to mongod...@googlegroups.com
Hi Wan,

thanks for the links and information.

I created the CA and works fine.

Thanks again.

Martin

--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.org/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/5bf1cb64-1125-4573-9b9b-c528dd0d4d20%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages