Mongo SSL Setup
1,252 views
Skip to first unread message
LV
May 12, 2015, 1:32:49 PM5/12/15
to mongod...@googlegroups.com
Mongo Version/build: win32/mongodb-win32-x86_64-2008plus-ssl-2.8.0-rc5.zip from https://www.mongodb.org/dl/win32/x86_64-2008plus-ssl
To use TLS/SSL with mongo I understood that mongod should be started with the options: --sslMode, --sslCAFile --sslPEMKeyFile
My assumption is that the values should be:
1) sslMode = requireSSL
2) sslCAFile = Certificate Authority issued certificates in .pem format (Base64-encoded ASCII files).
3) sslPEMKeyFile = PKCS file in .p12 format (binary format for storing the server certificate, any intermediate certificates, and the private key in one encrypted file)
When trying that:
c:\mongodb>mongod --sslMode requireSSL --sslPEMKeyFile "C:\mongodb\pkcs.p12" --sslCAFile "C:\mongodb\ca.pem"
I get that:
600-0700 E NETWORK cannot read certificate file: C:/mongodb/pkcs.p12 error:0906D06C:PEM routines:PEM_read_bio:no start line
752-0700 F CONTROL Failed global initialization: Location16768 ssl initialization problem
What am I missing here?
To use TLS/SSL with mongo I understood that mongod should be started with the options: --sslMode, --sslCAFile --sslPEMKeyFile
My assumption is that the values should be:
1) sslMode = requireSSL
2) sslCAFile = Certificate Authority issued certificates in .pem format (Base64-encoded ASCII files).
3) sslPEMKeyFile = PKCS file in .p12 format (binary format for storing the server certificate, any intermediate certificates, and the private key in one encrypted file)
When trying that:
c:\mongodb>mongod --sslMode requireSSL --sslPEMKeyFile "C:\mongodb\pkcs.p12" --sslCAFile "C:\mongodb\ca.pem"
I get that:
600-0700 E NETWORK cannot read certificate file: C:/mongodb/pkcs.p12 error:0906D06C:PEM routines:PEM_read_bio:no start line
752-0700 F CONTROL Failed global initialization: Location16768 ssl initialization problem
What am I missing here?
Rob Moore
May 13, 2015, 9:24:29 PM5/13/15
to mongod...@googlegroups.com
The sslPEMKeyFile wants a PEM formatted file too, not a PKCS12 binary file. The file will have a "-----BEGIN ENCRYPTED PRIVATE KEY-----" block and a "-----BEGIN CERTIFICATE-----" block.
This Stack Overflow has the commands to extract the key from the p12 using openssl for Windows.
HTH,
Rob.
Reply all
Reply to author
Forward
0 new messages