How to import certificates for MongoDB with SSL
Secure connections between Applications Manager and MongoDB servers require SSL/TLS certificates to encrypt communication and verify client/server identities. This guide walks you through generating, converting, and importing the required certificates to monitor a MongoDB server running in SSL mode.
Authentication Modes
One-Way Authentication - Only the server is verified by the client. No client certificate required. CA Certificate (in CRT format) uploaded to apm.keystore.
Two-Way (Mutual) Authentication - Both the server and client are verified. Client certificate required. Client Certificate (in PFX format) AND CA Certificate (in CER format), both uploaded to apm.keystore
Certificate Requirements
Part A: One-Way Authentication (Server Verification Only)
In one-way authentication, only the CA certificate is required. Applications Manager uses it to verify the MongoDB server's identity. Install OpenSSL on your machine before proceeding.
Step 1: Generate the CA Private Key
- openssl genrsa -out path/rootCA.key 2048
Step 2: Generate the CA Certificate (PEM Format)
Using the private key generated above, run the following command. You will be prompted to fill in certificate details. When asked for the Common Name, enter the hostname of the MongoDB server.
- openssl req -x509 -new -nodes -key path/rootCA.key -sha256 -days 1024 -out path/rootCA.pem
Step 3: Combine rootCA.key and rootCA.pem.
- cat path/rootCA.key path/rootCA.pem > path/rootCACert.pem
Step 4: Convert the PEM File to CRT Format. MongoDB uses the .pem file internally. Applications Manager requires the certificate in .crt format for upload.
- openssl x509 -outform der -in cert\rootCA.pem -out cert\rootCACert.crt
Note: The .pem file is used by the MongoDB server. The .crt file is what gets uploaded to Applications Manager.
Step 5: Upload the CA Certificate to Applications Manager
1. Go to AppManager UI → Settings → Manage Certificates → Trust Certificates.
2. Under Import From, select Certificate.
3. Choose apm.keystore.
4. Upload rootCA.crt.
5. Click Import Certificate.
Step 6: Verify the Import
Go to AppManager UI → Settings → Manage Certificates → List Certificates and confirm the certificate appears in the list.
Part B: Generate a CA Certificate for Two-Way Authentication (If Not Already Available)
Both the Client Certificate and the CA Certificate must be uploaded to apm.keystore. MongoDB SSL mode (Client Authentication) -> Client Certificate (in PFX format) AND CA Certificate (in CER format), both should be uploaded to apm.keystore.
Note: Check with the customer's DB team for the CA certificate (ca.crt) and CA private key (ca.key). If they are not available, follow Part A below to generate them. If they are already available, skip to Part B.
Step 1: Generate the CA Private Key
- openssl genrsa -out ca.key 4096
Step 2: Generate the CA Self-Signed Certificate
- openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/CN=MyMongoCA/OU=IT/O=CompanyName/L=Chennai/ST=TamilNadu/C=IN"
This produces two files:
- ca.key — CA private key (keep this secure)
- ca.crt — CA public certificate (share with Applications Manager)
Part B: Generate a Client Certificate Signed by the CA
Step 1: Generate the Client Private Key
- openssl genrsa -out client.key 2048
Step 2: Generate the Client Certificate Signing Request (CSR)
- openssl req -new -key client.key -out client.csr -subj "/CN=mongo-java-client/OU=IT/O=CompanyName/L=Chennai/ST=TamilNadu/C=IN"
Step 3: Sign the Client Certificate with the CA
- openssl x509 -req -days 36500 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Step 4: Bundle Client Certificate and Key into PKCS#12 (.p12) Format
- openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name "mongo-client" -passout pass:<password>
Step 5: Rename client.p12 to client.pfx
Java keystores and the Applications Manager UI accept .pfx format. Rename the file:
- client.p12 → client.pfx
Step 6: Rename ca.crt to ca.cer
- ca.crt → ca.cer
Upload Certificates to Applications Manager Keystore. Both certificates must be uploaded to apm.keystore. Upload the Client Certificate (client.pfx)
1. Go to AppManager UI → Settings → Manage Certificates → Trust Certificates.
2. Under Import From, select Keystore/Truststore.
3. Choose apm.keystore.
4. Upload client.pfx.
5. Enter the file password and click Fetch Certificate.
6. Select the certificate and click Import Certificate.
Upload the CA Certificate (ca.cer)
1. Go to AppManager UI → Settings → Manage Certificates → Trust Certificates.
2. Under Import From, select Certificate.
3. Choose apm.keystore.
4. Upload ca.cer.
5. Click Import Certificate.
Verify the Import
Go to AppManager UI → Settings → Manage Certificates → List Certificates and confirm both certificates appear in the list.
Troubleshooting SSL-Enabled MongoDB Onboarding
If you encounter connection issues, verify the following:
- Credentials: Ensure the MongoDB username and password are correct.
- Permissions: Confirm the Applications Manager host has permission to access the MongoDB instance.
- MongoDB SSL Mode: Verify MongoDB is started with SSL enabled (e.g., --tlsMode requireTLS or equivalent net.tls settings in mongod.conf).
Diagnostics for Support
If issues persist, provide the following details:
MongoDB Server TLS Configuration (from mongod.conf):
- net:
- tls:
- mode: requireTLS
- certificateKeyFile: /etc/ssl/mongodb.pem
- CAFile: /etc/ssl/ca.crt
Certificate Chain Verification — Run the following to confirm the client certificate and CA share the same chain:
- openssl x509 -in client.crt -noout -subject -issuer
- openssl x509 -in ca.crt -noout -subject -issuer
The Issuer of client.crt must match the Subject of ca.crt.
Certificate Expiry Check — Run the following to verify the certificates are not expired:
- openssl x509 -in client.crt -noout -dates
- openssl x509 -in ca.crt -noout -dates
New to ADSelfService Plus?
Related Articles
How to import certificates for monitoring DB2 Server with SSL authentication?
By default, if you want to use self-signed certificates for SSL connection then the certificate generated by the DB2 server will be db2server.arm. But our AppManager doesn't support arm files. So it has to be renamed as the db2server.cer and then ...How to import certificates for monitoring Postgres Server with SSL authentication?
Before adding a PostgreSQL server that requires SSL authentication, you must import the server's SSL certificates into the Applications Manager trust store (cacerts) to establish a secure connection. Attempting to add without import might give ...How to import certificates for monitoring Oracle database with SSL authentication?
For users using Applications Manager version 14250 and below: One-way SSL: (Client authentication disabled) 1. Open the command prompt using 'Run as administrator' option and navigate to the Applications Manager installation directory. 2. Import your ...LDAP - Unable to find valid SSL Certificate
If there is an error while adding LDAP Server Monitor with the message "Unable to find valid SSL Certificate", then please try the below steps to troubleshoot the issue. When the error occurs we can find the below traces in the "stderr.txt.*" log ...Resolving Issues When Onboarding SSL-Enabled MySQL Database Servers
Error Message: Connections using insecure transport are prohibited while --require_secure_transport=ON Solution: To overcome this issue follow the steps given below: Execute the following query in the corresponding MySQL shell script: ALTER USER ...