Skip to main content

How to enable SSL in MongoDB Community version

If we want to connect to a MongoDB instance running on one machine from a different machine (over internet), it would be more than advisable to secure the communication using SSL encryption. Fortunately MongoDB has in-built support for SSL and its very straight forward to enable it.

We can setup SSL connection using a certificate issues by a Certificate Authority or by using a self-signed certificate.

In this post we will cover steps for setting up SSL connection using a self-signed certificate on Ubuntu machine.

Follow below steps to setup self-signed SSL secured connection to MongoDB server from a remote machine.

1. Verify that your MongoDB installation supports SSL connection.

Run following command from command line
mongod --version
It should give output like:
db version v3.2.8

git version: ed70e33130c977bda0024c125b56d159573dbaf0

OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014

allocator: tcmalloc

modules: none

build environment:

    distmod: ubuntu1404

    distarch: x86_64

    target_arch: x86_64

Notice the 'OpenSSL version' in the output. This suggests that your MongoDB installation supports SSL.

If you do not see 'OpenSSL' in the output, then your MongoDB installation probably does not support SSL. In this case you will have to install a version that come pre-built with SSL support or manually compile a version of MongoDB by enabling SSL.

2. Generate Self-signed certificate for Server.

To generate a self-signed certificate we would use OpenSSL. Most Ubuntu distributions come pre-installed with OpenSSL.

To install OpenSSL manually type command:
sudo apt-get install openssl

Once you have OpenSSL installed use following command to generate certificate.
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key
You will be asked series of questions for generating the certificate.

Now use below command to concatenate certificate and key file to generate .pem file. MongoDB only supports .pem file.
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
Store mongodb-cert.key, mongodb-cert.crt and mongodb.pem files securely. You will need these files to connect to your MongoDB using SSL connection.

Copy mongodb.pem file to a preferred directory from where you want MongoDB to read this file. E.g.
3. Generate Self-signed certificate for Client.

Generating certificate for Client is similar to generating certificate for server. Use below commands to generate client certificates.
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out client-cert.crt -keyout client-cert.key
cat client-cert.key client-cert.crt > client.pem
4. Configure MongoDB to enable SSL

Open mongd.conf file
sudo vi /etc/mongod.conf
and add following lines to enable SSL.
net:    ssl:       mode: requireSSL       PEMKeyFile: /etc/ssl/mongodb.pem       CAFile: /etc/ssl/client.pem
'mode' as 'requireSSL' means that only SSL connects can be established non SSL connection will not work. You can set 'mode' to 'allowSSL' to support both SSL and non-SSL connections.

Restart mongod service to load new configurations.
sudo service mongod restart

4. Test SSL connection

Use --ssl option while starting MongoDB shell to connect using SSL connection
mongo --ssl --sslCAFile /etc/ssl/mongodb.pem --sslPEMKeyFile /etc/ssl/client.pem --host <host-name>