How to enable TLS

This guide shows how to enable TLS using the self-signed-certificates operator as an example, and how to rotate private keys.

Caution

Self-signed certificates are not recommended for a production environment.

See this guide for an overview of the available TLS certificates charms and how to choose the right one for your use-case.

Enable TLS in a replica set

To enable TLS encryption, deploy the TLS charm and integrate it with the MongoDB application:

VM

juju deploy self-signed-certificates
juju integrate self-signed-certificates mongodb:certificates

K8s

juju deploy self-signed-certificates
juju integrate self-signed-certificates mongodb-k8s:certificates

To disable TLS, simply remove the integration.

VM

juju remove-relation mongodb self-signed-certificates

K8s

juju remove-relation mongodb-k8s self-signed-certificates

Enable TLS in a sharded cluster

Enabling encryption via TLS in a sharded cluster can be done before or after shards are added to the config-server.

However, it requires that:

• All cluster components have encryption enabled

• All cluster components are integrated to the same Certificate Authority.

To enable TLS, deploy the TLS charm and integrate it with all cluster components.

In a cluster with two shards (named shard0 and shard1) and a config-server, it would look as follows:

juju deploy self-signed-certificates

juju integrate config-server:certificates self-signed-certificates
juju integrate shard0:certificates self-signed-certificates
juju integrate shard1:certificates self-signed-certificates

To disable TLS, simply remove the integrations with the cluster components:

juju remove-relation config-server self-signed-certificates
juju remove-relation shard0 self-signed-certificates
juju remove-relation shard1 self-signed-certificates

Rotate private keys

Updates to internal and external private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. To update all keys, you must run theset-tls-private-key action on all charmed MongoDB units in your replica set or sharded cluster.

Manually generated key

To rotate private keys, first generate the keys:

openssl genrsa -out internal-key.pem 3072
openssl genrsa -out external-key.pem 3072

Then, apply the new external key to all MongoDB units in your replica set or sharded cluster.

Caution

Passing keys to Juju should only be done with base64 -w0, not cat.

Auto-generated key

To auto-generate and rotate keys, run:

juju run <application-name>/leader set-tls-private-key