I - Making Mongo SSL certs for Mongo DB Server replica set
# Check openssl version
openssl version
# openssl options
openssl genrsa: Generates a private key
openssl req: Generates a CSR
openssl x509: Generates the certificate

1. Create Private Key for the root CA issuer
openssl genrsa -passout file:./rootCA/pphrase -out ./rootCA/rootCA.key -aes256

2. Create Root CA certificate
openssl req -x509 -new -key ./rootCA/rootCA.key -days 7300 -config ./root-ssl-config.cnf -out ./rootCA/rootCA.crt
# View the certificate
openssl x509 -noout -text -in ./rootCA/rootCA.crt

3. Create CSR for each of the member servers/hosts
SUBJECT="/C=CA/ST=ON/L=Barrie/O=AG-NAV Inc./OU=SD/CN=localhost/emailAddress=software@agnav.com"
openssl req -new -nodes -newkey rsa:2048 -subj "/C=CA/ST=ON/L=Barrie/O=AG-NAV Inc./OU=SD/CN=localhost/emailAddress=software@agnav.com" -keyout server1.key -out server1.csr

or using the shell script:
./makeCSR <hostname>

4. Sign the CSR then create certificate for the member
openssl x509 -req -days 7300 -in server1.csr -CA ./rootCA/rootCA.crt -CAkey ./rootCA/rootCA.key -CAcreateserial -out ./server1.crt -sha256 -extfile v3-ext.cnf

5. Create a privacy enhanced mail (PEM) for mongod
cat server1.key server1.crt > server1.pem

or using the shell script (for step 4 and 5):
./makeCert <hostname>

6. Deploy (root)
Move <hostname>.crt/pem/csr file to /etc/ssl/certs/
Move <hostname>.key (private key) file to /etc/ssl/private
Change permission for all to readonly 440

# (Optional) Create appcerts usergroup, then add users: root,www-data,mongodb,rabbitmq to the group


Reference:
  https://www.bustedware.com/blog/mongodb-ssl-tls-x509-authentication#create-certificate-authority
  https://www.mydbops.com/blog/securing-mongodb-cluster-with-tls-ssl
  https://www.ibm.com/docs/en/hpvs/1.2.x?topic=SSHPMH_1.2.x/topics/create_ca_signed_certificates.htm
  https://www.mydbops.com/blog/securing-mongodb-cluster-with-tls-ssl#
  https://www.filecloud.com/supportdocs/fcdoc/latest/server/filecloud-administrator-guide/filecloud-site-setup/filecloud-high-availability/configure-mongodb-cluster-to-use-tls-ssl-with-cluster-authentication-and-mongodb-authentication-on-linux


II - Replace/Renew/Rotate SSL x509 certs for a replica set
1. Make CSRs
./makeCSR.sh agndb0.agnav.com
./makeCSR.sh agndb1.agnav.com
./makeCSR.sh agndb2.agnav.com

2. Make Certs
./makeCert.sh agndb0.agnav.com
./makeCert.sh agndb1.agnav.com
./makeCert.sh agndb2.agnav.com

3. Copy them to each nodes to deploy
scp ./rootCA/rootCA.crt  agnav@kanboard.agnav.com:~/agnav_rootCA.crt
scp agndb2* agnav@kanboard.agnav.com:~/
scp -P 22222 agndb1* agm@agmission-1.agnav.com:~/
scp -P 22889 agndb0* agmission@agmission.agnav.com:~/

## Check after copying
ssh agnav@kanboard.agnav.com  'ls ~/'
ssh -p 22222 agm@agmission-1.agnav.com 'ls ~/'
ssh -p 22889 agmission@agmission.agnav.com 'ls ~/'

3.2 Copy them to the deploy storage location

4. Restart each of the member from secondaries to the primary one

5. Verify they all work.
mongo -u admin -p 'Minad!2019' --authenticationDatabase 'admin'
rs.status()
tail -n 500 /var/log/mongodb/mongod.log

Referece:
  https://www.mongodb.com/docs/manual/tutorial/rotate-x509-membership-certificates/