Configure MongoDB to use TLS/SSL

The following information is required to configure TLS/SSL on Mongo:

• PEMKeyFile: This file that contains the TLS/SSL certificate and key. The mongod/mongos instance presents this file to its clients to establish the instance's identity.

• CAFile: This file that contains the certificate chain for verifying client certificates. The mongod/mongos instance use this file to verify certificates presented by its clients. The certificate chain includes the certificate of the root Certificate Authority.

Here we are using .pem file to configure MongoDB Server/Client to use TLS/SSL.

Mongo TLS/SSL Server Side Configuration:   

To use TLS/SSL connections and perform client certificate validation, include the following TLS/SSL settings in your mongod/mongos instance's configuration file(mongod.cfg).

mongod.cfg file can be open from your installation directory, in my case i installed Mongo DB in C drive i.e. C:\Program Files\MongoDB\Server\4.2\bin

Add the highlighted lines in your mongod.cfg file, as given below.

# mongod.conf

storage:
  dbPath: C:\Program Files\MongoDB\Server\4.2\data
  journal:
    enabled: true

systemLog:
  destination: file
  logAppend: true
  path:  C:\Program Files\MongoDB\Server\4.2\log\mongod.log

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1,localhost
  ssl:
    mode: requireSSL
    PEMKeyFile: C:\Program Files\MongoDB\Server\4.2\bin\application-key.pem
    CAFile: C:\Program Files\MongoDB\Server\4.2\bin\application-ca.pem

Once you add the above properties in mongod.cfg file, restart the MongoDB Server service.

Once you restart the service mongo server is now configured with ssl. 

To verify mongo server is successfully configured with ssl or not open mongod.log (C:\Program Files\MongoDB\Server\4.2\log) file, you will see below logs.

Now Mongo Server is successfully configured to take ssl connections.

Mongo TLS/SSL Client Side Configuration:   

Now RUN below openssl command to create PKCS12 file.

openssl pkcs12 -export -out application_keystore.pkcs12 -in application-key.pem -password pass:changeit

Once your PKCS12 file is created, now we have to create JKS file using below command from cmd. Open cmd from PKCS12 file location, and execute below command. 

Once you execute below command you need to enter password, in my case i use the default keystore password i.e changeit.

After entering the password 3 times JKS file will generate at same location.

keytool -importkeystore -srckeystore application_keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

Now we need to put this JKS file path in your java code as given below, and restart your application.

System.setProperty("javax.net.ssl.trustStore", "<path>/keystore.jks");

System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

Another way if you do not want to add JKS file from your java code then add the JKS file directly in you  Java cacerts folder. Use below keytool command.

To run below command open cmd from java installation directory in my case i opened from C:\Program Files\Java\jdk1.8.0_65\jre\lib\security location.

keytool -importcert -alias <Alias Name> -file /application-key.pem -trustcacerts -keystore cacerts -storetype JKS

Once you execute above command it will ask for password, in my case i used the default keystore password i.e changeit. Once this is done then restart the application.