What do I need to do to connect from a Windows 10 box to the server without having to give the user’s the private key of the server?
I have MongoDB 4.4.8.0 on a Windows Server 2016 server. I have a signed certificate for the server, a .p12 file that I installed in Windows. The only way I can seem to connect with TLS from a Windows 10 machine to the MongoDB hosted on the server is if I use the server’s private key that was exported as a .pem file to remove the password. This is not a secure solution.
Is there anyone that can help with this? It seems like it should be a simple setup to connect from Win10 to Server 2016 with TLS (without having to share the server’s private key).
I assumed that are you utilising a self-signed certificate. If so, you should create a root Certificate Authority (CA) file that you use to generate both the server and client pem files. You only need to share the root CA certificate.
Thanks for the reply. I am using CA signed certificates. Does this make a difference in process from the self signed certs? I tried generating PEM files for the root CA using the server’s cert (a PCSK#12 cert) using OpenSSL, but it would not recognize that PEM as valid. Do I needed a CA signed certificate for the client as well since there is the client.pem file in the command to connect?
To clarify, since I’m running this on a Windows server I’m using this option for the certificate to start the mongod service.
Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.tls.certificateSelector instead of specifying the certificate key file.
This appears to work properly as I can connect to the server, but only using the server’s private key from the Windows 10 client.
Potentially, depending on what you are trying to do and what you have from the trusted CA.
Depends on what you’re trying to do. For example if you would like to Connect to MongoDB instance using encryption TLS options i.e. the server to identify itself, then you could just provide --tlsCAFile parameter in the client (or specify --tlsCertificateSelector to use system store instead of specifying the file) . i.e.
With PKI system you don’t provide one instance’s private key to other instances.
If you’re setting this up for a production purpose, I’d recommend to either get a help from a security consultant, or deploy your database a managed cluster. i.e. MongoDB Atlas - Please see also Atlas Security.