| Generate CA and server PEM key files using 10gen x509gen.
The client PEM key file you will need to generate manually because 10gen x509gen does not support the emailAddress field.
$ openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj '/CN=userWithEmail/OU=MMSAutomationClient/O=MongoDB/L=NewYorkCity/ST=NewYork/C=US/emailAddress=user@mongodb.com'
|
$ openssl x509 -req -CA ca.pem -CAkey ca.pem -in client.csr -out client.cert -CAserial serial -CAcreateserial
|
$ cat client.cert client.key > client.pem
|
Note that I am using OpenSSL 1.0.2n
Then start mongod:
mongod --dbpath=db1 --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem
|
And try to run the mongo shell:
mongo --ssl --sslCAFile ca.pem --sslPEMKeyFile client.pem
|
Failed global initialization: InvalidSSLConfiguration Unknown OID: 0x7FCA5FD249A0
|
|