If you have the PEMKeyfile
and CAFile
set up correctly (per the docs) then the remaining piece of the puzzle is to run with requireSSL
sslMode to make sure that you will only accept SSL connections for your databases (there are other modes to allow for mixing encrypted and non-encrypted clients, but that is only really recommended for upgrading from non-SSL).
You can also use CRLs to revoke bad certs, allow weak validation for particular clients, but those are optional.
As the weak validation piece suggests you also have to set up your clients to use SSL and that will vary depending on the driver in use (as will getting it to present a valid cert). Don't forget things like MMS agents will need to be enabled for SSL also (commonly forgotten).
The answer to my question comes from an article I found this afternoon and I completely understand what I was doing wrong before.
http://demarcsek92.blogspot.com/2014/05/mongodb-ssl-setup.html
I'll explain a little more because of the suggestion from Markus.
Originally I was generating client and server key/certification pairs from a root CA that I had created. I was concatenating (adding) the other certificates that I was making to the root CA and using this as the input for --sslCAFile. The issue I was creating was using my server.pem key/cert for each node and then trying to pass the client.pem file to the server for validation which I found out throws the generic "Self signed certificate" error. Apparently it happens whenever invalid certs/keys are passed to the server to create a connection.
(I'm going to gloss over how to make the server/client key/cert as it is in the article and I would like people to go there for more explanation as it is this gentleman's solution and not my own.)
Create server.key and server.crt
Use "type server.key server.crt > server.pem" (for Windows)
Create client.key and client.crt
Use "type client.key client.crt > client.pem"
For the server the setup will be:
--sslPEMKeyFile = server.pem
--sslCAFile = client.pem
For the client the setup will be:
--sslPEMKeyFile = client.pem
--sslCAFile = server.pem
This solution, as is, works for a single node and single client connection. I was able to trace the line with Wireshark and see that Mongo had stopped identifying itself and that when I drilled down into the packets using the Follow TCP Stream option the only information it was exposing was part of the subject used in creating my certificates (ok behavior).
Find "Client Hello" transmission from Mongo by:
Right-clicking on one of tranmission messages > Decode as... > Transport tab > SSL
On the "Client Hello" transmission from Mongo:
Right-click the packet > Follow TCP Stream > You should see the packet encrypted
NEXT STEP:
My next step is to figure out how to setup SSL certificates for a 3 node replica set. I'm still trying to wrap my head around creating certificates for each node and how they can all be linked so it will allow for each to trust each other and a client connection.
(I'm going to look into the Stack Exchange rules but I was just thinking about chaining to the next topic with a link in this one)
Best Answer
Simple. Change the parameter
ssl_cert_file
to point to your server certificate andssl_key_file
to the private key that belongs to it.If the private key requires a pass-phrase, you also have to set
ssl_passphrase_command
appropriately.To validate client certificates, put the certification authority certificate in
ssl_ca_file
.