The answer to my question comes from an article I found this afternoon and I completely understand what I was doing wrong before.
http://demarcsek92.blogspot.com/2014/05/mongodb-ssl-setup.html
I'll explain a little more because of the suggestion from Markus.
Originally I was generating client and server key/certification pairs from a root CA that I had created. I was concatenating (adding) the other certificates that I was making to the root CA and using this as the input for --sslCAFile. The issue I was creating was using my server.pem key/cert for each node and then trying to pass the client.pem file to the server for validation which I found out throws the generic "Self signed certificate" error. Apparently it happens whenever invalid certs/keys are passed to the server to create a connection.
(I'm going to gloss over how to make the server/client key/cert as it is in the article and I would like people to go there for more explanation as it is this gentleman's solution and not my own.)
Create server.key and server.crt
Use "type server.key server.crt > server.pem" (for Windows)
Create client.key and client.crt
Use "type client.key client.crt > client.pem"
For the server the setup will be:
--sslPEMKeyFile = server.pem
--sslCAFile = client.pem
For the client the setup will be:
--sslPEMKeyFile = client.pem
--sslCAFile = server.pem
This solution, as is, works for a single node and single client connection. I was able to trace the line with Wireshark and see that Mongo had stopped identifying itself and that when I drilled down into the packets using the Follow TCP Stream option the only information it was exposing was part of the subject used in creating my certificates (ok behavior).
Find "Client Hello" transmission from Mongo by:
Right-clicking on one of tranmission messages > Decode as... > Transport tab > SSL
On the "Client Hello" transmission from Mongo:
Right-click the packet > Follow TCP Stream > You should see the packet encrypted
NEXT STEP:
My next step is to figure out how to setup SSL certificates for a 3 node replica set. I'm still trying to wrap my head around creating certificates for each node and how they can all be linked so it will allow for each to trust each other and a client connection.
(I'm going to look into the Stack Exchange rules but I was just thinking about chaining to the next topic with a link in this one)
As an answer to your first question, both tools (by default) will just walk the _id index to fetch the data and then write it out to disk. So, yes, both tools will similarly impact your working set which is why I would generally recommend running them against a secondary (preferably a hidden secondary if possible). I'll echo Stennie in the comments here and recommend other backup methods if you are dealing with large amounts of data.
For the second question, I assume you are looking for a mongodump equivalent of the --fields option from mongoexport to only dump out specific fields. The query option can be used to filter results, but it cannot be used with a projection (to select the fields returned) - this is a feature request that is being tracked in TOOLS-28 but is not yet scheduled. As Stennie also mentioned, the other option here is to write a custom exporter that fits your needs (and again, I would still recommend running it against a secondary to protect your working set).
Best Answer
You are using the
--sslCAFileargument, this is to specify the Certificate Authority file to be used against the server's certificate.I think you might need to use
--sslPEMKeyFileinstead of--sslCAFile.Better yet, you might need to specify them both if you are using self-signed certificates with a custom Certificate Authority.