Configure X.509 certificate as internal authentication for MongoDB server

1. Create Private Key
openssl genrsa -out ~/ssl/rootCA.key 2048
Paraphase:Agnav2022 (dev only)

2. Create CA certificate
openssl req -x509 -new -key ~/ssl/rootCA.key -days 7300 -config ./ssl-config.cnf -out ~/ssl/rootCA.crt

3. Create host certificates
run: ./makeCert.sh <host> for each server/node

4. Move cert file and CA cert file to each node w/ permissions
#create ssl directory in mongodb folder
sudo mkdir -p /etc/mongodb/ssl

#move host1.pem and copy mongoCA.crt into it
sudo mv ~/ssl/localhost.pem /etc/mongodb/ssl/ 
sudo cp ~/ssl/rootCA.crt /etc/mongodb/ssl/

#chmod to 700 and change permissions of the folder to mongo.
sudo chmod 700 /etc/mongodb/ssl  
sudo chown -R mongodb:mongodb /etc/mongodb


5. Configure Mongo config file with the certificate for each node

net:
  port: 27017
  bindIp: 0.0.0.0
  tls:
    mode: preferTLS
    certificateKeyFile: /etc/mongodb/ssl/localhost.pem
    CAFile: /etc/mongodb/ssl/rootCA.crt
    clusterFile: /etc/mongodb/ssl/localhost.pem

security:
  clusterAuthMode: x509

6. Restart Mongo instance in each node. If using replicas, perform on each node then step down the primary first before configurating and restarting.

Done

Test with mongo command line:
sudo mongo -u admin -p 'Minad!2019' --authenticationDatabase 'admin' --tls --tlsCAFile '/etc/mongodb/ssl/rootCA.crt' --tlsCertificateKeyFile '/etc/mongodb/ssl/localhost.pem' --host localhost