Compass won’t connect to MongoDB over TLS using OpenSSL certificates

Trying the tried and tested method of connecting Compass to MongoDB instance on VPS over TLS. If the certificates were from LetsEnctrypt CA (generated with CertBot), 2 files are needed:

  1. CertAndKey.pem, containing host cert and it’s priv key;
  2. intermAndRoot.pem, containing Certbot’s provided chain.pem and downloaded directly from LetsEncrypt website rootCA certificate.

This works fine. The connection gets established.

However the same isn’t workingfor custom CA generated with OpenSSL. MongoDB log provides error “Unsuitable certificate purpose”

I followed this excellent playlist for creating the chain of OpenSSL certs:
TechLAB

I believe I have done it correctly, since all the 3 certs are different and both interm and host certs do validate agains the root cert.

My Root CA is:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>-----BEGIN CERTIFICATE-----
MIIFETCCAvmgAwIBAgIUbGwDAa8nWxKRBW4q3xpoEEo/C2YwDQYJKoZIhvcNAQEN
BQAwGDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMjE3NDNaFw0z
NDEyMTAyMjE3NDNaMBgxFjAUBgNVBAMMDUdJRlRCVVRUT04gQ0EwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDiNZ7a/FEjYuGjJ5jYICo/45PGcXXOScep
Jrf3r4OX/CzIPYX8Z87sm19FA3oPx8alNkxVax86w0gT7s153f4AoDHuHxLpJSuB
zxTN5PYJAR/vi1YUlpc1w7H5eBokUz2++29DLvrJs9EKYynC76uNSmLsfrg/d5gq
fJASkyCW6ARDSx3xAZuwMpZVW7Go+56G9J+w0y0cGMWRpOBcURTdfTJcSBVZil5+
EteQcyqm2Rs/jTgcNefvjkPOJOFVAOc2B2BL4XuZRKR8VbPTqQKRYCvg6KEWNzAf
mzDo5E87CwPu1f1gQ5XtKuLhdIu0rswMM6eIlhWvhpUrsrNJqBwnjyZngzV/CZr6
s3uOsKFJXt+vv0u7hR1T34PMG4MmE2sNmPYB/5wDUn/fs/M1jEc82GjmoyCNfVhM
n9dtkeK178NZh7yqAD5XitAxavj85UOoF0h5jUnItbszEI2tkvO6xufEo9TgC2y6
KBjyFi+o9QgtzxymMMM/wTxqNEgHDdtOgjXhhdBa+QfBnzQxKaOMNsPA+ncX5Z6G
L0kqeS3xkRlqR3a2BFB/K0hWmnuzJEiMDj7EHnV4uugoiXcuSvW/jsK7UdvbzkqU
4Sfhuh5znxA0fbneyMHEKFyHGgolvVz6FX2RNvHYrN5OcBTNolNP3yLKlLrj85pr
2bTLUjaxxwIDAQABo1MwUTAdBgNVHQ4EFgQUzOJJ8NOKY5F/97AsM2J2S+FNMLkw
HwYDVR0jBBgwFoAUzOJJ8NOKY5F/97AsM2J2S+FNMLkwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQ0FAAOCAgEAW/g3wYPZwsGWBelcuWKkxYAtiBaHaLE6KkJd
5Fm6gREceoQr6wx3k9wU5j34XHAsJ0EVDcToXooSjXAz0ItKyPN6YncAJL0iw2Ns
1bCPSCkUgIU4GXTUO9bd89uV3fQU7FaCwGiv0W/v1imSKenTAOwgTCl9sLuO1+3E
T/IEPvEiMV/YU8ZX1asmq57/SMjTXLAH8i/S5OZBie42pbd3g9ybHd0+4vK6BQFF
xdIr/TtyLywTHEEaiK4JWEW9P2UhSiwbHu3wdTPlV6O2ll7Scsa6jDllAHrac/up
kftJFQB7001or1qIysYkL1tyln/IX4frBHL6a/tqcVjn0QKEu4iOfBStRzTcM9Kp
9vzAk1rwGcuqtQWDChjX/cOHWMB/yobJjlSYCXmctvrwkw6ghXnIeDUbUM0j0LiK
etS/4WM4W8kjYwuUcdvtUjGqbplbpHovgd+yqVdUjT1s6z1qfO3w6ZPLg5IpD2Ef
7hTDYqlZNi7/kmosp7FhkzLZeR8K2aad3D0y+MuPoCUAgdVU5oXJhmcLgOhJhx3z
EwamaStqLwuh3OHnHVkwExB4GOJ6Zh2JXdpbxGsBmW9VCE7JVnx3kf1vfyx7LTnW
G3NbfChROxCTu7HsqPsuSlfQSbuc9dA6IOG77GR/slSiaMlH77z8PXeqNoIGTtJ6
4F7JL3I=
-----END CERTIFICATE-----
</code>
<code>-----BEGIN CERTIFICATE----- MIIFETCCAvmgAwIBAgIUbGwDAa8nWxKRBW4q3xpoEEo/C2YwDQYJKoZIhvcNAQEN BQAwGDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMjE3NDNaFw0z NDEyMTAyMjE3NDNaMBgxFjAUBgNVBAMMDUdJRlRCVVRUT04gQ0EwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQDiNZ7a/FEjYuGjJ5jYICo/45PGcXXOScep Jrf3r4OX/CzIPYX8Z87sm19FA3oPx8alNkxVax86w0gT7s153f4AoDHuHxLpJSuB zxTN5PYJAR/vi1YUlpc1w7H5eBokUz2++29DLvrJs9EKYynC76uNSmLsfrg/d5gq fJASkyCW6ARDSx3xAZuwMpZVW7Go+56G9J+w0y0cGMWRpOBcURTdfTJcSBVZil5+ EteQcyqm2Rs/jTgcNefvjkPOJOFVAOc2B2BL4XuZRKR8VbPTqQKRYCvg6KEWNzAf mzDo5E87CwPu1f1gQ5XtKuLhdIu0rswMM6eIlhWvhpUrsrNJqBwnjyZngzV/CZr6 s3uOsKFJXt+vv0u7hR1T34PMG4MmE2sNmPYB/5wDUn/fs/M1jEc82GjmoyCNfVhM n9dtkeK178NZh7yqAD5XitAxavj85UOoF0h5jUnItbszEI2tkvO6xufEo9TgC2y6 KBjyFi+o9QgtzxymMMM/wTxqNEgHDdtOgjXhhdBa+QfBnzQxKaOMNsPA+ncX5Z6G L0kqeS3xkRlqR3a2BFB/K0hWmnuzJEiMDj7EHnV4uugoiXcuSvW/jsK7UdvbzkqU 4Sfhuh5znxA0fbneyMHEKFyHGgolvVz6FX2RNvHYrN5OcBTNolNP3yLKlLrj85pr 2bTLUjaxxwIDAQABo1MwUTAdBgNVHQ4EFgQUzOJJ8NOKY5F/97AsM2J2S+FNMLkw HwYDVR0jBBgwFoAUzOJJ8NOKY5F/97AsM2J2S+FNMLkwDwYDVR0TAQH/BAUwAwEB /zANBgkqhkiG9w0BAQ0FAAOCAgEAW/g3wYPZwsGWBelcuWKkxYAtiBaHaLE6KkJd 5Fm6gREceoQr6wx3k9wU5j34XHAsJ0EVDcToXooSjXAz0ItKyPN6YncAJL0iw2Ns 1bCPSCkUgIU4GXTUO9bd89uV3fQU7FaCwGiv0W/v1imSKenTAOwgTCl9sLuO1+3E T/IEPvEiMV/YU8ZX1asmq57/SMjTXLAH8i/S5OZBie42pbd3g9ybHd0+4vK6BQFF xdIr/TtyLywTHEEaiK4JWEW9P2UhSiwbHu3wdTPlV6O2ll7Scsa6jDllAHrac/up kftJFQB7001or1qIysYkL1tyln/IX4frBHL6a/tqcVjn0QKEu4iOfBStRzTcM9Kp 9vzAk1rwGcuqtQWDChjX/cOHWMB/yobJjlSYCXmctvrwkw6ghXnIeDUbUM0j0LiK etS/4WM4W8kjYwuUcdvtUjGqbplbpHovgd+yqVdUjT1s6z1qfO3w6ZPLg5IpD2Ef 7hTDYqlZNi7/kmosp7FhkzLZeR8K2aad3D0y+MuPoCUAgdVU5oXJhmcLgOhJhx3z EwamaStqLwuh3OHnHVkwExB4GOJ6Zh2JXdpbxGsBmW9VCE7JVnx3kf1vfyx7LTnW G3NbfChROxCTu7HsqPsuSlfQSbuc9dA6IOG77GR/slSiaMlH77z8PXeqNoIGTtJ6 4F7JL3I= -----END CERTIFICATE----- </code>
-----BEGIN CERTIFICATE-----
MIIFETCCAvmgAwIBAgIUbGwDAa8nWxKRBW4q3xpoEEo/C2YwDQYJKoZIhvcNAQEN
BQAwGDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMjE3NDNaFw0z
NDEyMTAyMjE3NDNaMBgxFjAUBgNVBAMMDUdJRlRCVVRUT04gQ0EwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDiNZ7a/FEjYuGjJ5jYICo/45PGcXXOScep
Jrf3r4OX/CzIPYX8Z87sm19FA3oPx8alNkxVax86w0gT7s153f4AoDHuHxLpJSuB
zxTN5PYJAR/vi1YUlpc1w7H5eBokUz2++29DLvrJs9EKYynC76uNSmLsfrg/d5gq
fJASkyCW6ARDSx3xAZuwMpZVW7Go+56G9J+w0y0cGMWRpOBcURTdfTJcSBVZil5+
EteQcyqm2Rs/jTgcNefvjkPOJOFVAOc2B2BL4XuZRKR8VbPTqQKRYCvg6KEWNzAf
mzDo5E87CwPu1f1gQ5XtKuLhdIu0rswMM6eIlhWvhpUrsrNJqBwnjyZngzV/CZr6
s3uOsKFJXt+vv0u7hR1T34PMG4MmE2sNmPYB/5wDUn/fs/M1jEc82GjmoyCNfVhM
n9dtkeK178NZh7yqAD5XitAxavj85UOoF0h5jUnItbszEI2tkvO6xufEo9TgC2y6
KBjyFi+o9QgtzxymMMM/wTxqNEgHDdtOgjXhhdBa+QfBnzQxKaOMNsPA+ncX5Z6G
L0kqeS3xkRlqR3a2BFB/K0hWmnuzJEiMDj7EHnV4uugoiXcuSvW/jsK7UdvbzkqU
4Sfhuh5znxA0fbneyMHEKFyHGgolvVz6FX2RNvHYrN5OcBTNolNP3yLKlLrj85pr
2bTLUjaxxwIDAQABo1MwUTAdBgNVHQ4EFgQUzOJJ8NOKY5F/97AsM2J2S+FNMLkw
HwYDVR0jBBgwFoAUzOJJ8NOKY5F/97AsM2J2S+FNMLkwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQ0FAAOCAgEAW/g3wYPZwsGWBelcuWKkxYAtiBaHaLE6KkJd
5Fm6gREceoQr6wx3k9wU5j34XHAsJ0EVDcToXooSjXAz0ItKyPN6YncAJL0iw2Ns
1bCPSCkUgIU4GXTUO9bd89uV3fQU7FaCwGiv0W/v1imSKenTAOwgTCl9sLuO1+3E
T/IEPvEiMV/YU8ZX1asmq57/SMjTXLAH8i/S5OZBie42pbd3g9ybHd0+4vK6BQFF
xdIr/TtyLywTHEEaiK4JWEW9P2UhSiwbHu3wdTPlV6O2ll7Scsa6jDllAHrac/up
kftJFQB7001or1qIysYkL1tyln/IX4frBHL6a/tqcVjn0QKEu4iOfBStRzTcM9Kp
9vzAk1rwGcuqtQWDChjX/cOHWMB/yobJjlSYCXmctvrwkw6ghXnIeDUbUM0j0LiK
etS/4WM4W8kjYwuUcdvtUjGqbplbpHovgd+yqVdUjT1s6z1qfO3w6ZPLg5IpD2Ef
7hTDYqlZNi7/kmosp7FhkzLZeR8K2aad3D0y+MuPoCUAgdVU5oXJhmcLgOhJhx3z
EwamaStqLwuh3OHnHVkwExB4GOJ6Zh2JXdpbxGsBmW9VCE7JVnx3kf1vfyx7LTnW
G3NbfChROxCTu7HsqPsuSlfQSbuc9dA6IOG77GR/slSiaMlH77z8PXeqNoIGTtJ6
4F7JL3I=
-----END CERTIFICATE-----

The intermediate cert is:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>-----BEGIN CERTIFICATE-----
MIIFHjCCAwagAwIBAgIRAN5DF60GO8h5VmWPWG/07jwwDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMzA5MDZaFw0zNDEy
MTAyMzA5MDZaMCUxIzAhBgNVBAMMGkdJRlRCVVRUT04gSU5URVJNRURJQVRFIENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3FYjbUdoKenoOQLV4YDH
DiDOM8GDjLdwHFB8nX9hgR06wVkevepym0bvoDyksN1TXhn/z1A8qB2xqsSCauqM
rVRFpb1Ic5MsJT42uSJTghN/gsjsQmn+7m/7suKADGKRdxT8g93FaDNDPlAeYdBy
hdE9M4i8c9KIW2oo6+pL+jRKz3iVVasqS7Y00hgIyJcuN+Zpq67TXVOi9Fg4CoEV
+toYLE3/YczlTv/FWWj0p7GLZA3KOy243ooD4gz/Rt5+0p9BsuACFfmMHEIAfJzJ
p4j0CbqBpwG2azrru7jrIhqJ//6b95shXm/+AHCaVM2CnpNQ+qnFjVMs88rRmOh1
9c+PUBMBD40wql1eJzVlxATLX8Hm1VmmFnw7RY2LP8+AZrTK/KDZeWExmCAhj2n/
oV1b41fNNEg5xt2OApsEzL3IdyxN64n88mJV2KKCK728Svo/jodgcS9Ilw6+DQ76
OkyMOQybx69AG5JrpIV1dFoVKC0tqA/DRV/rSgRv23XivSxJ34qz2iSWbpYKCLpN
tlhTY3e8MakTtT1kAT+VhOaXDkso+jXq88yQR6bo+ZjI28/hwKcy/fpW2pYN/rZx
A++uRWAiQ2CKBnkPyyz5S3kOpleGm0RMDTIgwawBXl5WWna0NnB1+pvQ1dzfERrf
9bANNmZpBtWveSsXpVd4t4MCAwEAAaNWMFQwHQYDVR0OBBYEFOr7YkD5s8FyqtIO
2uRgKHSEUIQmMB8GA1UdIwQYMBaAFMziSfDTimORf/ewLDNidkvhTTC5MBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAFavRSIpnirwjm0/mViN
xWD3Hk/NAtxHz5+t1XMM709DdZYhXvHQsFdSV2vpLjiWtfx6xOmIQoqld4FrZOGa
R5xiEfr7khGQ5CZpoiafp1ms3DdZb/WLqMhQ8wopayaVkS5QN3IpHTu8Vx7lRzjs
etta+JOdxgE21nZUNHaeOA2vpQT5WwTNq6qsmjgKf5dD0iE8QgidIGZo6fMdsTMh
eFSfXWMj6xwi/ROS5OIh/PWcLGtCPFgUxuGHEi+KGuDrDS45ygy8fT5z+hl6E8WY
KHZ5F9jI/LSsSN+ySBKjZI2K35td7hayFW2rLawmpOnPZYhB5i6fyuX7BcBI9CDv
DTaY5onWRoWGlDzT2b8P9u4P7AiyFK7Ow4w9K6Kl4qI65N+wOyzk0dU10yt9ZksP
fbGPfqlzrk0+9JYvGZVWpRYa1Bxv/sEatUqxLt9iNlhy8OC+Nt3bPo8750QMvEIJ
MX7KTjb7VSLK62jSqc9FDseLK/iH9L2AWt2WCSIQJ6T5J0Duo/++RKY8GXGJMwI1
uIyd4XtSK1iTJED0nZ9z2C4jbrjj2iy+/A5Vu2o85Y8vZyiYOpyJZLx79xFYVRPR
ahnziVvw2YVlsiOYEcgO+TnI3HrTc/afYNDIUKwzeEeVPpNa+jddxeap+y2ni37p
oBIXfQqR307Zy3qAsi4/sbSX
-----END CERTIFICATE-----
</code>
<code>-----BEGIN CERTIFICATE----- MIIFHjCCAwagAwIBAgIRAN5DF60GO8h5VmWPWG/07jwwDQYJKoZIhvcNAQELBQAw GDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMzA5MDZaFw0zNDEy MTAyMzA5MDZaMCUxIzAhBgNVBAMMGkdJRlRCVVRUT04gSU5URVJNRURJQVRFIENB MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3FYjbUdoKenoOQLV4YDH DiDOM8GDjLdwHFB8nX9hgR06wVkevepym0bvoDyksN1TXhn/z1A8qB2xqsSCauqM rVRFpb1Ic5MsJT42uSJTghN/gsjsQmn+7m/7suKADGKRdxT8g93FaDNDPlAeYdBy hdE9M4i8c9KIW2oo6+pL+jRKz3iVVasqS7Y00hgIyJcuN+Zpq67TXVOi9Fg4CoEV +toYLE3/YczlTv/FWWj0p7GLZA3KOy243ooD4gz/Rt5+0p9BsuACFfmMHEIAfJzJ p4j0CbqBpwG2azrru7jrIhqJ//6b95shXm/+AHCaVM2CnpNQ+qnFjVMs88rRmOh1 9c+PUBMBD40wql1eJzVlxATLX8Hm1VmmFnw7RY2LP8+AZrTK/KDZeWExmCAhj2n/ oV1b41fNNEg5xt2OApsEzL3IdyxN64n88mJV2KKCK728Svo/jodgcS9Ilw6+DQ76 OkyMOQybx69AG5JrpIV1dFoVKC0tqA/DRV/rSgRv23XivSxJ34qz2iSWbpYKCLpN tlhTY3e8MakTtT1kAT+VhOaXDkso+jXq88yQR6bo+ZjI28/hwKcy/fpW2pYN/rZx A++uRWAiQ2CKBnkPyyz5S3kOpleGm0RMDTIgwawBXl5WWna0NnB1+pvQ1dzfERrf 9bANNmZpBtWveSsXpVd4t4MCAwEAAaNWMFQwHQYDVR0OBBYEFOr7YkD5s8FyqtIO 2uRgKHSEUIQmMB8GA1UdIwQYMBaAFMziSfDTimORf/ewLDNidkvhTTC5MBIGA1Ud EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAFavRSIpnirwjm0/mViN xWD3Hk/NAtxHz5+t1XMM709DdZYhXvHQsFdSV2vpLjiWtfx6xOmIQoqld4FrZOGa R5xiEfr7khGQ5CZpoiafp1ms3DdZb/WLqMhQ8wopayaVkS5QN3IpHTu8Vx7lRzjs etta+JOdxgE21nZUNHaeOA2vpQT5WwTNq6qsmjgKf5dD0iE8QgidIGZo6fMdsTMh eFSfXWMj6xwi/ROS5OIh/PWcLGtCPFgUxuGHEi+KGuDrDS45ygy8fT5z+hl6E8WY KHZ5F9jI/LSsSN+ySBKjZI2K35td7hayFW2rLawmpOnPZYhB5i6fyuX7BcBI9CDv DTaY5onWRoWGlDzT2b8P9u4P7AiyFK7Ow4w9K6Kl4qI65N+wOyzk0dU10yt9ZksP fbGPfqlzrk0+9JYvGZVWpRYa1Bxv/sEatUqxLt9iNlhy8OC+Nt3bPo8750QMvEIJ MX7KTjb7VSLK62jSqc9FDseLK/iH9L2AWt2WCSIQJ6T5J0Duo/++RKY8GXGJMwI1 uIyd4XtSK1iTJED0nZ9z2C4jbrjj2iy+/A5Vu2o85Y8vZyiYOpyJZLx79xFYVRPR ahnziVvw2YVlsiOYEcgO+TnI3HrTc/afYNDIUKwzeEeVPpNa+jddxeap+y2ni37p oBIXfQqR307Zy3qAsi4/sbSX -----END CERTIFICATE----- </code>
-----BEGIN CERTIFICATE-----
MIIFHjCCAwagAwIBAgIRAN5DF60GO8h5VmWPWG/07jwwDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMzA5MDZaFw0zNDEy
MTAyMzA5MDZaMCUxIzAhBgNVBAMMGkdJRlRCVVRUT04gSU5URVJNRURJQVRFIENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3FYjbUdoKenoOQLV4YDH
DiDOM8GDjLdwHFB8nX9hgR06wVkevepym0bvoDyksN1TXhn/z1A8qB2xqsSCauqM
rVRFpb1Ic5MsJT42uSJTghN/gsjsQmn+7m/7suKADGKRdxT8g93FaDNDPlAeYdBy
hdE9M4i8c9KIW2oo6+pL+jRKz3iVVasqS7Y00hgIyJcuN+Zpq67TXVOi9Fg4CoEV
+toYLE3/YczlTv/FWWj0p7GLZA3KOy243ooD4gz/Rt5+0p9BsuACFfmMHEIAfJzJ
p4j0CbqBpwG2azrru7jrIhqJ//6b95shXm/+AHCaVM2CnpNQ+qnFjVMs88rRmOh1
9c+PUBMBD40wql1eJzVlxATLX8Hm1VmmFnw7RY2LP8+AZrTK/KDZeWExmCAhj2n/
oV1b41fNNEg5xt2OApsEzL3IdyxN64n88mJV2KKCK728Svo/jodgcS9Ilw6+DQ76
OkyMOQybx69AG5JrpIV1dFoVKC0tqA/DRV/rSgRv23XivSxJ34qz2iSWbpYKCLpN
tlhTY3e8MakTtT1kAT+VhOaXDkso+jXq88yQR6bo+ZjI28/hwKcy/fpW2pYN/rZx
A++uRWAiQ2CKBnkPyyz5S3kOpleGm0RMDTIgwawBXl5WWna0NnB1+pvQ1dzfERrf
9bANNmZpBtWveSsXpVd4t4MCAwEAAaNWMFQwHQYDVR0OBBYEFOr7YkD5s8FyqtIO
2uRgKHSEUIQmMB8GA1UdIwQYMBaAFMziSfDTimORf/ewLDNidkvhTTC5MBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAFavRSIpnirwjm0/mViN
xWD3Hk/NAtxHz5+t1XMM709DdZYhXvHQsFdSV2vpLjiWtfx6xOmIQoqld4FrZOGa
R5xiEfr7khGQ5CZpoiafp1ms3DdZb/WLqMhQ8wopayaVkS5QN3IpHTu8Vx7lRzjs
etta+JOdxgE21nZUNHaeOA2vpQT5WwTNq6qsmjgKf5dD0iE8QgidIGZo6fMdsTMh
eFSfXWMj6xwi/ROS5OIh/PWcLGtCPFgUxuGHEi+KGuDrDS45ygy8fT5z+hl6E8WY
KHZ5F9jI/LSsSN+ySBKjZI2K35td7hayFW2rLawmpOnPZYhB5i6fyuX7BcBI9CDv
DTaY5onWRoWGlDzT2b8P9u4P7AiyFK7Ow4w9K6Kl4qI65N+wOyzk0dU10yt9ZksP
fbGPfqlzrk0+9JYvGZVWpRYa1Bxv/sEatUqxLt9iNlhy8OC+Nt3bPo8750QMvEIJ
MX7KTjb7VSLK62jSqc9FDseLK/iH9L2AWt2WCSIQJ6T5J0Duo/++RKY8GXGJMwI1
uIyd4XtSK1iTJED0nZ9z2C4jbrjj2iy+/A5Vu2o85Y8vZyiYOpyJZLx79xFYVRPR
ahnziVvw2YVlsiOYEcgO+TnI3HrTc/afYNDIUKwzeEeVPpNa+jddxeap+y2ni37p
oBIXfQqR307Zy3qAsi4/sbSX
-----END CERTIFICATE-----

host cert is:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>-----BEGIN CERTIFICATE-----
MIIGNjCCBB6gAwIBAgIRALyPo138h9hNmmY/HPCBccUwDQYJKoZIhvcNAQELBQAw
JTEjMCEGA1UEAwwaR0lGVEJVVFRPTiBJTlRFUk1FRElBVEUgQ0EwHhcNMjQxMjEz
MTkwMzQ0WhcNMzQxMjExMTkwMzQ0WjB3MQswCQYDVQQGEwJBVTEMMAoGA1UECAwD
TlNXMQ8wDQYDVQQHDAZTeWRuZXkxFTATBgNVBAoMDFByYWN0aWNlIFB0eTEZMBcG
A1UECwwQQ3VzdG9tZXIgU3VwcG9ydDEXMBUGA1UEAwwOZ2lmdGJ1dHRvbi5jb20w
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDX5iEqSbhvkiZ0E3NCU1Ms
YvlEw/t4Xjzdd4rhLHQsLXpiO3n8CZj+/DQrWwiy15JjWeboWkM8bxAvYZ3+1cY1
jUl1xYNZ0V0mEu3BZcJT4bgBF30twRcmmOwWLAtJPAsSRI228ddUDXl9/bVHooi7
ST4ekoaHIPa3hP/oX5ZNDQHaFj22YCy38/58oIfPtm8mP24TA/xc8rIxFixUpp2n
o8iuQdpM1ncX3i0SKhugMni+jLhXTzM7dF16K1aq0WvMdx8/MxyjtXxCWnrSFGV2
lNQFScRn6VyZT81w9VAVoKJkUU+qsaKad2pw3243Batsq1mFsF5yo8spdbkapvuM
SVbJm47fCWeHK625tI/zpv7ql2hBy+YLvyKEG1Ci1A146p2+ClVQtxcIg17ry18G
/XMgtyyf3ABWfTTQxAcA4uzlPS4xkMpRUfCQfvYWwh7gCL4nj6+Wk63xJvOaHvWI
ttcPCZYkjCGf+5w+7zHoX7r4cSCBar8cJN02ZPyPPey9PrUswi8iz1nxsxgh1Qdt
SLwSkofEyVMcbrl7/7WCyZBt0q20BjcCc4S++s7RrXlwunxXumxkcP2nik4rFReU
P2VpNENfxT7HkrQIwbZCAlYxaco/OmmF9Oqz5EfVdvz10Rm0woZlcs49NdcZEkLC
NLG92kcL8booGaneX1wGEQIDAQABo4IBDTCCAQkwCQYDVR0TBAIwADARBglghkgB
hvhCAQEEBAMCBkAwSQYJYIZIAYb4QgENBDwWOlNlbGYtU2lnbmVkIENlcnRpZmlj
YXRlIGdlbmVyYXRlZCBieSBPcGVuU1NMIChtaWQtY2EuY29uZikwHQYDVR0OBBYE
FP65D6HnLkAfJZ5vdJEecVfB2gIrMFAGA1UdIwRJMEeAFOr7YkD5s8FyqtIO2uRg
KHSEUIQmoRykGjAYMRYwFAYDVQQDDA1HSUZUQlVUVE9OIENBghEA3kMXrQY7yHlW
ZY9Yb/TuPDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQBtaH73uOIp/zXxMeZrFNPINnh80Z60
kBInqtdVd8LBKgdJCiXu0uVlh+1Do4xszQi7YtJUgUgLckdueXOq9DUHvOXNXfLB
ByCsqDrYMd5+imckwLDYjARMT/Ih9GbFNUEYbtym5k/pHxKJahLEWSUKeLKXCnNT
yHYAXqbzxapltQekG1+OofU9wGXQVxBRg65NPaCyfOFldPWeh38kKw8A49kQwc5T
x29oxcECHiqxz4RwvxKYlamoG/d0njlK3y3aAxMou31YhON9EltMEnGVM+awzfcn
cr5xUSRK0MPYwwqiSUZySSpyC+bA/1rx1Bd2t8Oohnqe9ZzznJS5qhHuza3ngGzo
dFp4CMe+yHbaLTSF4I8zxSh8qd0QCtmnIz0UdZ4IMegqHGfH3OsRdLjBhbfaYw2H
De7s/+34LASGKV9jABYIT8jYQS9QHMBocqa/xnYKuIJ/mCl2g2nXx3Zf+AiEP965
JFUIu/6syKmzb8vygEYkQCEW/z45UcQdmH6KFwHQ5FB15b/zN/0z3l/rQXJ9zel/
y0sAEd/wZ+7z2ry2SUeMVFf1hejutZ5AD9u+q3MMZ8REqGM+r7tg9uSkKs0lf1wP
bH9nU1oXBrNQPqMzkEvwObIJEPP/AwuT6R73LbfEBXXLiDxhouYQUIb2oIKg0iHr
yeC0jEePh5kYWw==
-----END CERTIFICATE----
</code>
<code>-----BEGIN CERTIFICATE----- MIIGNjCCBB6gAwIBAgIRALyPo138h9hNmmY/HPCBccUwDQYJKoZIhvcNAQELBQAw JTEjMCEGA1UEAwwaR0lGVEJVVFRPTiBJTlRFUk1FRElBVEUgQ0EwHhcNMjQxMjEz MTkwMzQ0WhcNMzQxMjExMTkwMzQ0WjB3MQswCQYDVQQGEwJBVTEMMAoGA1UECAwD TlNXMQ8wDQYDVQQHDAZTeWRuZXkxFTATBgNVBAoMDFByYWN0aWNlIFB0eTEZMBcG A1UECwwQQ3VzdG9tZXIgU3VwcG9ydDEXMBUGA1UEAwwOZ2lmdGJ1dHRvbi5jb20w ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDX5iEqSbhvkiZ0E3NCU1Ms YvlEw/t4Xjzdd4rhLHQsLXpiO3n8CZj+/DQrWwiy15JjWeboWkM8bxAvYZ3+1cY1 jUl1xYNZ0V0mEu3BZcJT4bgBF30twRcmmOwWLAtJPAsSRI228ddUDXl9/bVHooi7 ST4ekoaHIPa3hP/oX5ZNDQHaFj22YCy38/58oIfPtm8mP24TA/xc8rIxFixUpp2n o8iuQdpM1ncX3i0SKhugMni+jLhXTzM7dF16K1aq0WvMdx8/MxyjtXxCWnrSFGV2 lNQFScRn6VyZT81w9VAVoKJkUU+qsaKad2pw3243Batsq1mFsF5yo8spdbkapvuM SVbJm47fCWeHK625tI/zpv7ql2hBy+YLvyKEG1Ci1A146p2+ClVQtxcIg17ry18G /XMgtyyf3ABWfTTQxAcA4uzlPS4xkMpRUfCQfvYWwh7gCL4nj6+Wk63xJvOaHvWI ttcPCZYkjCGf+5w+7zHoX7r4cSCBar8cJN02ZPyPPey9PrUswi8iz1nxsxgh1Qdt SLwSkofEyVMcbrl7/7WCyZBt0q20BjcCc4S++s7RrXlwunxXumxkcP2nik4rFReU P2VpNENfxT7HkrQIwbZCAlYxaco/OmmF9Oqz5EfVdvz10Rm0woZlcs49NdcZEkLC NLG92kcL8booGaneX1wGEQIDAQABo4IBDTCCAQkwCQYDVR0TBAIwADARBglghkgB hvhCAQEEBAMCBkAwSQYJYIZIAYb4QgENBDwWOlNlbGYtU2lnbmVkIENlcnRpZmlj YXRlIGdlbmVyYXRlZCBieSBPcGVuU1NMIChtaWQtY2EuY29uZikwHQYDVR0OBBYE FP65D6HnLkAfJZ5vdJEecVfB2gIrMFAGA1UdIwRJMEeAFOr7YkD5s8FyqtIO2uRg KHSEUIQmoRykGjAYMRYwFAYDVQQDDA1HSUZUQlVUVE9OIENBghEA3kMXrQY7yHlW ZY9Yb/TuPDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQBtaH73uOIp/zXxMeZrFNPINnh80Z60 kBInqtdVd8LBKgdJCiXu0uVlh+1Do4xszQi7YtJUgUgLckdueXOq9DUHvOXNXfLB ByCsqDrYMd5+imckwLDYjARMT/Ih9GbFNUEYbtym5k/pHxKJahLEWSUKeLKXCnNT yHYAXqbzxapltQekG1+OofU9wGXQVxBRg65NPaCyfOFldPWeh38kKw8A49kQwc5T x29oxcECHiqxz4RwvxKYlamoG/d0njlK3y3aAxMou31YhON9EltMEnGVM+awzfcn cr5xUSRK0MPYwwqiSUZySSpyC+bA/1rx1Bd2t8Oohnqe9ZzznJS5qhHuza3ngGzo dFp4CMe+yHbaLTSF4I8zxSh8qd0QCtmnIz0UdZ4IMegqHGfH3OsRdLjBhbfaYw2H De7s/+34LASGKV9jABYIT8jYQS9QHMBocqa/xnYKuIJ/mCl2g2nXx3Zf+AiEP965 JFUIu/6syKmzb8vygEYkQCEW/z45UcQdmH6KFwHQ5FB15b/zN/0z3l/rQXJ9zel/ y0sAEd/wZ+7z2ry2SUeMVFf1hejutZ5AD9u+q3MMZ8REqGM+r7tg9uSkKs0lf1wP bH9nU1oXBrNQPqMzkEvwObIJEPP/AwuT6R73LbfEBXXLiDxhouYQUIb2oIKg0iHr yeC0jEePh5kYWw== -----END CERTIFICATE---- </code>
-----BEGIN CERTIFICATE-----
MIIGNjCCBB6gAwIBAgIRALyPo138h9hNmmY/HPCBccUwDQYJKoZIhvcNAQELBQAw
JTEjMCEGA1UEAwwaR0lGVEJVVFRPTiBJTlRFUk1FRElBVEUgQ0EwHhcNMjQxMjEz
MTkwMzQ0WhcNMzQxMjExMTkwMzQ0WjB3MQswCQYDVQQGEwJBVTEMMAoGA1UECAwD
TlNXMQ8wDQYDVQQHDAZTeWRuZXkxFTATBgNVBAoMDFByYWN0aWNlIFB0eTEZMBcG
A1UECwwQQ3VzdG9tZXIgU3VwcG9ydDEXMBUGA1UEAwwOZ2lmdGJ1dHRvbi5jb20w
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDX5iEqSbhvkiZ0E3NCU1Ms
YvlEw/t4Xjzdd4rhLHQsLXpiO3n8CZj+/DQrWwiy15JjWeboWkM8bxAvYZ3+1cY1
jUl1xYNZ0V0mEu3BZcJT4bgBF30twRcmmOwWLAtJPAsSRI228ddUDXl9/bVHooi7
ST4ekoaHIPa3hP/oX5ZNDQHaFj22YCy38/58oIfPtm8mP24TA/xc8rIxFixUpp2n
o8iuQdpM1ncX3i0SKhugMni+jLhXTzM7dF16K1aq0WvMdx8/MxyjtXxCWnrSFGV2
lNQFScRn6VyZT81w9VAVoKJkUU+qsaKad2pw3243Batsq1mFsF5yo8spdbkapvuM
SVbJm47fCWeHK625tI/zpv7ql2hBy+YLvyKEG1Ci1A146p2+ClVQtxcIg17ry18G
/XMgtyyf3ABWfTTQxAcA4uzlPS4xkMpRUfCQfvYWwh7gCL4nj6+Wk63xJvOaHvWI
ttcPCZYkjCGf+5w+7zHoX7r4cSCBar8cJN02ZPyPPey9PrUswi8iz1nxsxgh1Qdt
SLwSkofEyVMcbrl7/7WCyZBt0q20BjcCc4S++s7RrXlwunxXumxkcP2nik4rFReU
P2VpNENfxT7HkrQIwbZCAlYxaco/OmmF9Oqz5EfVdvz10Rm0woZlcs49NdcZEkLC
NLG92kcL8booGaneX1wGEQIDAQABo4IBDTCCAQkwCQYDVR0TBAIwADARBglghkgB
hvhCAQEEBAMCBkAwSQYJYIZIAYb4QgENBDwWOlNlbGYtU2lnbmVkIENlcnRpZmlj
YXRlIGdlbmVyYXRlZCBieSBPcGVuU1NMIChtaWQtY2EuY29uZikwHQYDVR0OBBYE
FP65D6HnLkAfJZ5vdJEecVfB2gIrMFAGA1UdIwRJMEeAFOr7YkD5s8FyqtIO2uRg
KHSEUIQmoRykGjAYMRYwFAYDVQQDDA1HSUZUQlVUVE9OIENBghEA3kMXrQY7yHlW
ZY9Yb/TuPDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQBtaH73uOIp/zXxMeZrFNPINnh80Z60
kBInqtdVd8LBKgdJCiXu0uVlh+1Do4xszQi7YtJUgUgLckdueXOq9DUHvOXNXfLB
ByCsqDrYMd5+imckwLDYjARMT/Ih9GbFNUEYbtym5k/pHxKJahLEWSUKeLKXCnNT
yHYAXqbzxapltQekG1+OofU9wGXQVxBRg65NPaCyfOFldPWeh38kKw8A49kQwc5T
x29oxcECHiqxz4RwvxKYlamoG/d0njlK3y3aAxMou31YhON9EltMEnGVM+awzfcn
cr5xUSRK0MPYwwqiSUZySSpyC+bA/1rx1Bd2t8Oohnqe9ZzznJS5qhHuza3ngGzo
dFp4CMe+yHbaLTSF4I8zxSh8qd0QCtmnIz0UdZ4IMegqHGfH3OsRdLjBhbfaYw2H
De7s/+34LASGKV9jABYIT8jYQS9QHMBocqa/xnYKuIJ/mCl2g2nXx3Zf+AiEP965
JFUIu/6syKmzb8vygEYkQCEW/z45UcQdmH6KFwHQ5FB15b/zN/0z3l/rQXJ9zel/
y0sAEd/wZ+7z2ry2SUeMVFf1hejutZ5AD9u+q3MMZ8REqGM+r7tg9uSkKs0lf1wP
bH9nU1oXBrNQPqMzkEvwObIJEPP/AwuT6R73LbfEBXXLiDxhouYQUIb2oIKg0iHr
yeC0jEePh5kYWw==
-----END CERTIFICATE----

Any ideas about what is causing the problem are very appreciated!

3

Here the config files and commands to generate the certificates:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code># root-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Root CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
# intermediate-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Intermediate CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
# server.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Server
[v3_ca]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = giftbutton.com
# client.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Client
[v3_ca]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
</code>
<code># root-ca.conf [req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] C = AU O = giftbutton OU = My Division CN = Root CA [v3_ca] keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical, CA:true subjectKeyIdentifier = hash # intermediate-ca.conf [req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] C = AU O = giftbutton OU = My Division CN = Intermediate CA [v3_ca] keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical, CA:true subjectKeyIdentifier = hash # server.conf [req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] C = AU O = giftbutton OU = My Division CN = Mongo Server [v3_ca] keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = giftbutton.com # client.conf [req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] C = AU O = giftbutton OU = My Division CN = Mongo Client [v3_ca] keyUsage = digitalSignature extendedKeyUsage = clientAuth </code>
# root-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Root CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash


# intermediate-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Intermediate CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash


# server.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Server
[v3_ca]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = giftbutton.com


# client.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Client
[v3_ca]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth

Many tutorials generate the public/private key with openssl genrsa .... When you use the key only for one certificate, then it is easier to create the key automatically with the certificate (option -newkey 4096). It’s one command less.

Typically when you need a certificate then you create a certificate request and send it to the person/department who owns the CA. They take your certificate request, sign it with their CA and return back the signed certificate to you. When you are the owner of the CA, then this step is not needed. You can create and sign the certificate request with a single command. It’s one more command less.

As it looks like you like to use server and client certificates and intermediate CA. So, it ends up in 4 certificates created by 4 commands:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>openssl req -config root-ca.conf -newkey 4096 -keyout root-ca.key -noenc -new -x509 -days 3650 -sha256 -copy_extensions copyall -extensions v3_ca -out root-ca.crt
openssl req -config intermediate-ca.conf -newkey 4096 -keyout intermediate-ca.key -noenc -new -x509 -days 3650 -CA root-ca.crt -CAkey root-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out intermediate-ca.crt
openssl req -config server.conf -newkey 4096 -keyout server.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out server.crt
openssl req -config client.conf -newkey 4096 -keyout client.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out client.crt
</code>
<code>openssl req -config root-ca.conf -newkey 4096 -keyout root-ca.key -noenc -new -x509 -days 3650 -sha256 -copy_extensions copyall -extensions v3_ca -out root-ca.crt openssl req -config intermediate-ca.conf -newkey 4096 -keyout intermediate-ca.key -noenc -new -x509 -days 3650 -CA root-ca.crt -CAkey root-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out intermediate-ca.crt openssl req -config server.conf -newkey 4096 -keyout server.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out server.crt openssl req -config client.conf -newkey 4096 -keyout client.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out client.crt </code>
openssl req -config root-ca.conf -newkey 4096 -keyout root-ca.key -noenc -new -x509 -days 3650 -sha256 -copy_extensions copyall -extensions v3_ca -out root-ca.crt

openssl req -config intermediate-ca.conf -newkey 4096 -keyout intermediate-ca.key -noenc -new -x509 -days 3650 -CA root-ca.crt -CAkey root-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out intermediate-ca.crt

openssl req -config server.conf -newkey 4096 -keyout server.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out server.crt

openssl req -config client.conf -newkey 4096 -keyout client.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out client.crt

Instead of a config file, you can also put all parameters in command line. So, instead of -config client.conf it might be possible to use -subj "C=AU/O=giftbutton/OU=My Division/CN=Mongo Client" -addext "keyUsage=critical/keyCertSign/cRLSign" -addext "basicConstraints=critical,CA:true" -addext "subjectKeyIdentifier=hash" – but I did not test!

In order to use them, you have to combine them into files:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>cat intermediate-ca.crt root-ca.crt > ca-chain.crt
cat client.crt client.key > client.pem
cat server.crt server.key > server.pem
</code>
<code>cat intermediate-ca.crt root-ca.crt > ca-chain.crt cat client.crt client.key > client.pem cat server.crt server.key > server.pem </code>
cat intermediate-ca.crt root-ca.crt > ca-chain.crt
cat client.crt client.key > client.pem
cat server.crt server.key > server.pem

Then they are ready to use. On the server side use

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>net:
port: 27017
bindIpAll: true
tls:
mode: requireTLS
certificateKeyFile: server.pem
CAFile: ca-chain.crt
</code>
<code>net: port: 27017 bindIpAll: true tls: mode: requireTLS certificateKeyFile: server.pem CAFile: ca-chain.crt </code>
net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: server.pem
    CAFile: ca-chain.crt

And in Compass use connection string like this:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>mongodb://user:[email protected]:27017/?authSource=admin&tls=true&tlsCertificateKeyFile=client.pem&tlsCAFile=ca-chain.crt
</code>
<code>mongodb://user:[email protected]:27017/?authSource=admin&tls=true&tlsCertificateKeyFile=client.pem&tlsCAFile=ca-chain.crt </code>
mongodb://user:[email protected]:27017/?authSource=admin&tls=true&tlsCertificateKeyFile=client.pem&tlsCAFile=ca-chain.crt

Note:

Download latest version of openssl (version 3.4). In older version option -copy_extensions copyall was not supported and you would need to put the [v3_ca] section into an extension config-file and load this file with -extensions v3_ca -extfile ....

As already mentioned, I suggest to download and install XCA. It is very simple to use, you can import existing (working) certificate with simple copy/paste or drag/drop. Then you can check the properties, and create similar certificates or requests according to your need and you can export them in any format you may desire. It’s really a helpful tool to learn the secrets of x.509 certificates.

1

Trang chủ Giới thiệu Sinh nhật bé trai Sinh nhật bé gái Tổ chức sự kiện Biểu diễn giải trí Dịch vụ khác Trang trí tiệc cưới Tổ chức khai trương Tư vấn dịch vụ Thư viện ảnh Tin tức - sự kiện Liên hệ Chú hề sinh nhật Trang trí YEAR END PARTY công ty Trang trí tất niên cuối năm Trang trí tất niên xu hướng mới nhất Trang trí sinh nhật bé trai Hải Đăng Trang trí sinh nhật bé Khánh Vân Trang trí sinh nhật Bích Ngân Trang trí sinh nhật bé Thanh Trang Thuê ông già Noel phát quà Biểu diễn xiếc khỉ Xiếc quay đĩa Dịch vụ tổ chức sự kiện 5 sao Thông tin về chúng tôi Dịch vụ sinh nhật bé trai Dịch vụ sinh nhật bé gái Sự kiện trọn gói Các tiết mục giải trí Dịch vụ bổ trợ Tiệc cưới sang trọng Dịch vụ khai trương Tư vấn tổ chức sự kiện Hình ảnh sự kiện Cập nhật tin tức Liên hệ ngay Thuê chú hề chuyên nghiệp Tiệc tất niên cho công ty Trang trí tiệc cuối năm Tiệc tất niên độc đáo Sinh nhật bé Hải Đăng Sinh nhật đáng yêu bé Khánh Vân Sinh nhật sang trọng Bích Ngân Tiệc sinh nhật bé Thanh Trang Dịch vụ ông già Noel Xiếc thú vui nhộn Biểu diễn xiếc quay đĩa Dịch vụ tổ chức tiệc uy tín Khám phá dịch vụ của chúng tôi Tiệc sinh nhật cho bé trai Trang trí tiệc cho bé gái Gói sự kiện chuyên nghiệp Chương trình giải trí hấp dẫn Dịch vụ hỗ trợ sự kiện Trang trí tiệc cưới đẹp Khởi đầu thành công với khai trương Chuyên gia tư vấn sự kiện Xem ảnh các sự kiện đẹp Tin mới về sự kiện Kết nối với đội ngũ chuyên gia Chú hề vui nhộn cho tiệc sinh nhật Ý tưởng tiệc cuối năm Tất niên độc đáo Trang trí tiệc hiện đại Tổ chức sinh nhật cho Hải Đăng Sinh nhật độc quyền Khánh Vân Phong cách tiệc Bích Ngân Trang trí tiệc bé Thanh Trang Thuê dịch vụ ông già Noel chuyên nghiệp Xem xiếc khỉ đặc sắc Xiếc quay đĩa thú vị
Trang chủ Giới thiệu Sinh nhật bé trai Sinh nhật bé gái Tổ chức sự kiện Biểu diễn giải trí Dịch vụ khác Trang trí tiệc cưới Tổ chức khai trương Tư vấn dịch vụ Thư viện ảnh Tin tức - sự kiện Liên hệ Chú hề sinh nhật Trang trí YEAR END PARTY công ty Trang trí tất niên cuối năm Trang trí tất niên xu hướng mới nhất Trang trí sinh nhật bé trai Hải Đăng Trang trí sinh nhật bé Khánh Vân Trang trí sinh nhật Bích Ngân Trang trí sinh nhật bé Thanh Trang Thuê ông già Noel phát quà Biểu diễn xiếc khỉ Xiếc quay đĩa

Compass won’t connect to MongoDB over TLS using OpenSSL certificates

Trying the tried and tested method of connecting Compass to MongoDB instance on VPS over TLS. If the certificates were from LetsEnctrypt CA (generated with CertBot), 2 files are needed:

  1. CertAndKey.pem, containing host cert and it’s priv key;
  2. intermAndRoot.pem, containing Certbot’s provided chain.pem and downloaded directly from LetsEncrypt website rootCA certificate.

This works fine. The connection gets established.

However the same isn’t workingfor custom CA generated with OpenSSL. MongoDB log provides error “Unsuitable certificate purpose”

I followed this excellent playlist for creating the chain of OpenSSL certs:
TechLAB

I believe I have done it correctly, since all the 3 certs are different and both interm and host certs do validate agains the root cert.

My Root CA is:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>-----BEGIN CERTIFICATE-----
MIIFETCCAvmgAwIBAgIUbGwDAa8nWxKRBW4q3xpoEEo/C2YwDQYJKoZIhvcNAQEN
BQAwGDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMjE3NDNaFw0z
NDEyMTAyMjE3NDNaMBgxFjAUBgNVBAMMDUdJRlRCVVRUT04gQ0EwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDiNZ7a/FEjYuGjJ5jYICo/45PGcXXOScep
Jrf3r4OX/CzIPYX8Z87sm19FA3oPx8alNkxVax86w0gT7s153f4AoDHuHxLpJSuB
zxTN5PYJAR/vi1YUlpc1w7H5eBokUz2++29DLvrJs9EKYynC76uNSmLsfrg/d5gq
fJASkyCW6ARDSx3xAZuwMpZVW7Go+56G9J+w0y0cGMWRpOBcURTdfTJcSBVZil5+
EteQcyqm2Rs/jTgcNefvjkPOJOFVAOc2B2BL4XuZRKR8VbPTqQKRYCvg6KEWNzAf
mzDo5E87CwPu1f1gQ5XtKuLhdIu0rswMM6eIlhWvhpUrsrNJqBwnjyZngzV/CZr6
s3uOsKFJXt+vv0u7hR1T34PMG4MmE2sNmPYB/5wDUn/fs/M1jEc82GjmoyCNfVhM
n9dtkeK178NZh7yqAD5XitAxavj85UOoF0h5jUnItbszEI2tkvO6xufEo9TgC2y6
KBjyFi+o9QgtzxymMMM/wTxqNEgHDdtOgjXhhdBa+QfBnzQxKaOMNsPA+ncX5Z6G
L0kqeS3xkRlqR3a2BFB/K0hWmnuzJEiMDj7EHnV4uugoiXcuSvW/jsK7UdvbzkqU
4Sfhuh5znxA0fbneyMHEKFyHGgolvVz6FX2RNvHYrN5OcBTNolNP3yLKlLrj85pr
2bTLUjaxxwIDAQABo1MwUTAdBgNVHQ4EFgQUzOJJ8NOKY5F/97AsM2J2S+FNMLkw
HwYDVR0jBBgwFoAUzOJJ8NOKY5F/97AsM2J2S+FNMLkwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQ0FAAOCAgEAW/g3wYPZwsGWBelcuWKkxYAtiBaHaLE6KkJd
5Fm6gREceoQr6wx3k9wU5j34XHAsJ0EVDcToXooSjXAz0ItKyPN6YncAJL0iw2Ns
1bCPSCkUgIU4GXTUO9bd89uV3fQU7FaCwGiv0W/v1imSKenTAOwgTCl9sLuO1+3E
T/IEPvEiMV/YU8ZX1asmq57/SMjTXLAH8i/S5OZBie42pbd3g9ybHd0+4vK6BQFF
xdIr/TtyLywTHEEaiK4JWEW9P2UhSiwbHu3wdTPlV6O2ll7Scsa6jDllAHrac/up
kftJFQB7001or1qIysYkL1tyln/IX4frBHL6a/tqcVjn0QKEu4iOfBStRzTcM9Kp
9vzAk1rwGcuqtQWDChjX/cOHWMB/yobJjlSYCXmctvrwkw6ghXnIeDUbUM0j0LiK
etS/4WM4W8kjYwuUcdvtUjGqbplbpHovgd+yqVdUjT1s6z1qfO3w6ZPLg5IpD2Ef
7hTDYqlZNi7/kmosp7FhkzLZeR8K2aad3D0y+MuPoCUAgdVU5oXJhmcLgOhJhx3z
EwamaStqLwuh3OHnHVkwExB4GOJ6Zh2JXdpbxGsBmW9VCE7JVnx3kf1vfyx7LTnW
G3NbfChROxCTu7HsqPsuSlfQSbuc9dA6IOG77GR/slSiaMlH77z8PXeqNoIGTtJ6
4F7JL3I=
-----END CERTIFICATE-----
</code>
<code>-----BEGIN CERTIFICATE----- MIIFETCCAvmgAwIBAgIUbGwDAa8nWxKRBW4q3xpoEEo/C2YwDQYJKoZIhvcNAQEN BQAwGDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMjE3NDNaFw0z NDEyMTAyMjE3NDNaMBgxFjAUBgNVBAMMDUdJRlRCVVRUT04gQ0EwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQDiNZ7a/FEjYuGjJ5jYICo/45PGcXXOScep Jrf3r4OX/CzIPYX8Z87sm19FA3oPx8alNkxVax86w0gT7s153f4AoDHuHxLpJSuB zxTN5PYJAR/vi1YUlpc1w7H5eBokUz2++29DLvrJs9EKYynC76uNSmLsfrg/d5gq fJASkyCW6ARDSx3xAZuwMpZVW7Go+56G9J+w0y0cGMWRpOBcURTdfTJcSBVZil5+ EteQcyqm2Rs/jTgcNefvjkPOJOFVAOc2B2BL4XuZRKR8VbPTqQKRYCvg6KEWNzAf mzDo5E87CwPu1f1gQ5XtKuLhdIu0rswMM6eIlhWvhpUrsrNJqBwnjyZngzV/CZr6 s3uOsKFJXt+vv0u7hR1T34PMG4MmE2sNmPYB/5wDUn/fs/M1jEc82GjmoyCNfVhM n9dtkeK178NZh7yqAD5XitAxavj85UOoF0h5jUnItbszEI2tkvO6xufEo9TgC2y6 KBjyFi+o9QgtzxymMMM/wTxqNEgHDdtOgjXhhdBa+QfBnzQxKaOMNsPA+ncX5Z6G L0kqeS3xkRlqR3a2BFB/K0hWmnuzJEiMDj7EHnV4uugoiXcuSvW/jsK7UdvbzkqU 4Sfhuh5znxA0fbneyMHEKFyHGgolvVz6FX2RNvHYrN5OcBTNolNP3yLKlLrj85pr 2bTLUjaxxwIDAQABo1MwUTAdBgNVHQ4EFgQUzOJJ8NOKY5F/97AsM2J2S+FNMLkw HwYDVR0jBBgwFoAUzOJJ8NOKY5F/97AsM2J2S+FNMLkwDwYDVR0TAQH/BAUwAwEB /zANBgkqhkiG9w0BAQ0FAAOCAgEAW/g3wYPZwsGWBelcuWKkxYAtiBaHaLE6KkJd 5Fm6gREceoQr6wx3k9wU5j34XHAsJ0EVDcToXooSjXAz0ItKyPN6YncAJL0iw2Ns 1bCPSCkUgIU4GXTUO9bd89uV3fQU7FaCwGiv0W/v1imSKenTAOwgTCl9sLuO1+3E T/IEPvEiMV/YU8ZX1asmq57/SMjTXLAH8i/S5OZBie42pbd3g9ybHd0+4vK6BQFF xdIr/TtyLywTHEEaiK4JWEW9P2UhSiwbHu3wdTPlV6O2ll7Scsa6jDllAHrac/up kftJFQB7001or1qIysYkL1tyln/IX4frBHL6a/tqcVjn0QKEu4iOfBStRzTcM9Kp 9vzAk1rwGcuqtQWDChjX/cOHWMB/yobJjlSYCXmctvrwkw6ghXnIeDUbUM0j0LiK etS/4WM4W8kjYwuUcdvtUjGqbplbpHovgd+yqVdUjT1s6z1qfO3w6ZPLg5IpD2Ef 7hTDYqlZNi7/kmosp7FhkzLZeR8K2aad3D0y+MuPoCUAgdVU5oXJhmcLgOhJhx3z EwamaStqLwuh3OHnHVkwExB4GOJ6Zh2JXdpbxGsBmW9VCE7JVnx3kf1vfyx7LTnW G3NbfChROxCTu7HsqPsuSlfQSbuc9dA6IOG77GR/slSiaMlH77z8PXeqNoIGTtJ6 4F7JL3I= -----END CERTIFICATE----- </code>
-----BEGIN CERTIFICATE-----
MIIFETCCAvmgAwIBAgIUbGwDAa8nWxKRBW4q3xpoEEo/C2YwDQYJKoZIhvcNAQEN
BQAwGDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMjE3NDNaFw0z
NDEyMTAyMjE3NDNaMBgxFjAUBgNVBAMMDUdJRlRCVVRUT04gQ0EwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDiNZ7a/FEjYuGjJ5jYICo/45PGcXXOScep
Jrf3r4OX/CzIPYX8Z87sm19FA3oPx8alNkxVax86w0gT7s153f4AoDHuHxLpJSuB
zxTN5PYJAR/vi1YUlpc1w7H5eBokUz2++29DLvrJs9EKYynC76uNSmLsfrg/d5gq
fJASkyCW6ARDSx3xAZuwMpZVW7Go+56G9J+w0y0cGMWRpOBcURTdfTJcSBVZil5+
EteQcyqm2Rs/jTgcNefvjkPOJOFVAOc2B2BL4XuZRKR8VbPTqQKRYCvg6KEWNzAf
mzDo5E87CwPu1f1gQ5XtKuLhdIu0rswMM6eIlhWvhpUrsrNJqBwnjyZngzV/CZr6
s3uOsKFJXt+vv0u7hR1T34PMG4MmE2sNmPYB/5wDUn/fs/M1jEc82GjmoyCNfVhM
n9dtkeK178NZh7yqAD5XitAxavj85UOoF0h5jUnItbszEI2tkvO6xufEo9TgC2y6
KBjyFi+o9QgtzxymMMM/wTxqNEgHDdtOgjXhhdBa+QfBnzQxKaOMNsPA+ncX5Z6G
L0kqeS3xkRlqR3a2BFB/K0hWmnuzJEiMDj7EHnV4uugoiXcuSvW/jsK7UdvbzkqU
4Sfhuh5znxA0fbneyMHEKFyHGgolvVz6FX2RNvHYrN5OcBTNolNP3yLKlLrj85pr
2bTLUjaxxwIDAQABo1MwUTAdBgNVHQ4EFgQUzOJJ8NOKY5F/97AsM2J2S+FNMLkw
HwYDVR0jBBgwFoAUzOJJ8NOKY5F/97AsM2J2S+FNMLkwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQ0FAAOCAgEAW/g3wYPZwsGWBelcuWKkxYAtiBaHaLE6KkJd
5Fm6gREceoQr6wx3k9wU5j34XHAsJ0EVDcToXooSjXAz0ItKyPN6YncAJL0iw2Ns
1bCPSCkUgIU4GXTUO9bd89uV3fQU7FaCwGiv0W/v1imSKenTAOwgTCl9sLuO1+3E
T/IEPvEiMV/YU8ZX1asmq57/SMjTXLAH8i/S5OZBie42pbd3g9ybHd0+4vK6BQFF
xdIr/TtyLywTHEEaiK4JWEW9P2UhSiwbHu3wdTPlV6O2ll7Scsa6jDllAHrac/up
kftJFQB7001or1qIysYkL1tyln/IX4frBHL6a/tqcVjn0QKEu4iOfBStRzTcM9Kp
9vzAk1rwGcuqtQWDChjX/cOHWMB/yobJjlSYCXmctvrwkw6ghXnIeDUbUM0j0LiK
etS/4WM4W8kjYwuUcdvtUjGqbplbpHovgd+yqVdUjT1s6z1qfO3w6ZPLg5IpD2Ef
7hTDYqlZNi7/kmosp7FhkzLZeR8K2aad3D0y+MuPoCUAgdVU5oXJhmcLgOhJhx3z
EwamaStqLwuh3OHnHVkwExB4GOJ6Zh2JXdpbxGsBmW9VCE7JVnx3kf1vfyx7LTnW
G3NbfChROxCTu7HsqPsuSlfQSbuc9dA6IOG77GR/slSiaMlH77z8PXeqNoIGTtJ6
4F7JL3I=
-----END CERTIFICATE-----

The intermediate cert is:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>-----BEGIN CERTIFICATE-----
MIIFHjCCAwagAwIBAgIRAN5DF60GO8h5VmWPWG/07jwwDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMzA5MDZaFw0zNDEy
MTAyMzA5MDZaMCUxIzAhBgNVBAMMGkdJRlRCVVRUT04gSU5URVJNRURJQVRFIENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3FYjbUdoKenoOQLV4YDH
DiDOM8GDjLdwHFB8nX9hgR06wVkevepym0bvoDyksN1TXhn/z1A8qB2xqsSCauqM
rVRFpb1Ic5MsJT42uSJTghN/gsjsQmn+7m/7suKADGKRdxT8g93FaDNDPlAeYdBy
hdE9M4i8c9KIW2oo6+pL+jRKz3iVVasqS7Y00hgIyJcuN+Zpq67TXVOi9Fg4CoEV
+toYLE3/YczlTv/FWWj0p7GLZA3KOy243ooD4gz/Rt5+0p9BsuACFfmMHEIAfJzJ
p4j0CbqBpwG2azrru7jrIhqJ//6b95shXm/+AHCaVM2CnpNQ+qnFjVMs88rRmOh1
9c+PUBMBD40wql1eJzVlxATLX8Hm1VmmFnw7RY2LP8+AZrTK/KDZeWExmCAhj2n/
oV1b41fNNEg5xt2OApsEzL3IdyxN64n88mJV2KKCK728Svo/jodgcS9Ilw6+DQ76
OkyMOQybx69AG5JrpIV1dFoVKC0tqA/DRV/rSgRv23XivSxJ34qz2iSWbpYKCLpN
tlhTY3e8MakTtT1kAT+VhOaXDkso+jXq88yQR6bo+ZjI28/hwKcy/fpW2pYN/rZx
A++uRWAiQ2CKBnkPyyz5S3kOpleGm0RMDTIgwawBXl5WWna0NnB1+pvQ1dzfERrf
9bANNmZpBtWveSsXpVd4t4MCAwEAAaNWMFQwHQYDVR0OBBYEFOr7YkD5s8FyqtIO
2uRgKHSEUIQmMB8GA1UdIwQYMBaAFMziSfDTimORf/ewLDNidkvhTTC5MBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAFavRSIpnirwjm0/mViN
xWD3Hk/NAtxHz5+t1XMM709DdZYhXvHQsFdSV2vpLjiWtfx6xOmIQoqld4FrZOGa
R5xiEfr7khGQ5CZpoiafp1ms3DdZb/WLqMhQ8wopayaVkS5QN3IpHTu8Vx7lRzjs
etta+JOdxgE21nZUNHaeOA2vpQT5WwTNq6qsmjgKf5dD0iE8QgidIGZo6fMdsTMh
eFSfXWMj6xwi/ROS5OIh/PWcLGtCPFgUxuGHEi+KGuDrDS45ygy8fT5z+hl6E8WY
KHZ5F9jI/LSsSN+ySBKjZI2K35td7hayFW2rLawmpOnPZYhB5i6fyuX7BcBI9CDv
DTaY5onWRoWGlDzT2b8P9u4P7AiyFK7Ow4w9K6Kl4qI65N+wOyzk0dU10yt9ZksP
fbGPfqlzrk0+9JYvGZVWpRYa1Bxv/sEatUqxLt9iNlhy8OC+Nt3bPo8750QMvEIJ
MX7KTjb7VSLK62jSqc9FDseLK/iH9L2AWt2WCSIQJ6T5J0Duo/++RKY8GXGJMwI1
uIyd4XtSK1iTJED0nZ9z2C4jbrjj2iy+/A5Vu2o85Y8vZyiYOpyJZLx79xFYVRPR
ahnziVvw2YVlsiOYEcgO+TnI3HrTc/afYNDIUKwzeEeVPpNa+jddxeap+y2ni37p
oBIXfQqR307Zy3qAsi4/sbSX
-----END CERTIFICATE-----
</code>
<code>-----BEGIN CERTIFICATE----- MIIFHjCCAwagAwIBAgIRAN5DF60GO8h5VmWPWG/07jwwDQYJKoZIhvcNAQELBQAw GDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMzA5MDZaFw0zNDEy MTAyMzA5MDZaMCUxIzAhBgNVBAMMGkdJRlRCVVRUT04gSU5URVJNRURJQVRFIENB MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3FYjbUdoKenoOQLV4YDH DiDOM8GDjLdwHFB8nX9hgR06wVkevepym0bvoDyksN1TXhn/z1A8qB2xqsSCauqM rVRFpb1Ic5MsJT42uSJTghN/gsjsQmn+7m/7suKADGKRdxT8g93FaDNDPlAeYdBy hdE9M4i8c9KIW2oo6+pL+jRKz3iVVasqS7Y00hgIyJcuN+Zpq67TXVOi9Fg4CoEV +toYLE3/YczlTv/FWWj0p7GLZA3KOy243ooD4gz/Rt5+0p9BsuACFfmMHEIAfJzJ p4j0CbqBpwG2azrru7jrIhqJ//6b95shXm/+AHCaVM2CnpNQ+qnFjVMs88rRmOh1 9c+PUBMBD40wql1eJzVlxATLX8Hm1VmmFnw7RY2LP8+AZrTK/KDZeWExmCAhj2n/ oV1b41fNNEg5xt2OApsEzL3IdyxN64n88mJV2KKCK728Svo/jodgcS9Ilw6+DQ76 OkyMOQybx69AG5JrpIV1dFoVKC0tqA/DRV/rSgRv23XivSxJ34qz2iSWbpYKCLpN tlhTY3e8MakTtT1kAT+VhOaXDkso+jXq88yQR6bo+ZjI28/hwKcy/fpW2pYN/rZx A++uRWAiQ2CKBnkPyyz5S3kOpleGm0RMDTIgwawBXl5WWna0NnB1+pvQ1dzfERrf 9bANNmZpBtWveSsXpVd4t4MCAwEAAaNWMFQwHQYDVR0OBBYEFOr7YkD5s8FyqtIO 2uRgKHSEUIQmMB8GA1UdIwQYMBaAFMziSfDTimORf/ewLDNidkvhTTC5MBIGA1Ud EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAFavRSIpnirwjm0/mViN xWD3Hk/NAtxHz5+t1XMM709DdZYhXvHQsFdSV2vpLjiWtfx6xOmIQoqld4FrZOGa R5xiEfr7khGQ5CZpoiafp1ms3DdZb/WLqMhQ8wopayaVkS5QN3IpHTu8Vx7lRzjs etta+JOdxgE21nZUNHaeOA2vpQT5WwTNq6qsmjgKf5dD0iE8QgidIGZo6fMdsTMh eFSfXWMj6xwi/ROS5OIh/PWcLGtCPFgUxuGHEi+KGuDrDS45ygy8fT5z+hl6E8WY KHZ5F9jI/LSsSN+ySBKjZI2K35td7hayFW2rLawmpOnPZYhB5i6fyuX7BcBI9CDv DTaY5onWRoWGlDzT2b8P9u4P7AiyFK7Ow4w9K6Kl4qI65N+wOyzk0dU10yt9ZksP fbGPfqlzrk0+9JYvGZVWpRYa1Bxv/sEatUqxLt9iNlhy8OC+Nt3bPo8750QMvEIJ MX7KTjb7VSLK62jSqc9FDseLK/iH9L2AWt2WCSIQJ6T5J0Duo/++RKY8GXGJMwI1 uIyd4XtSK1iTJED0nZ9z2C4jbrjj2iy+/A5Vu2o85Y8vZyiYOpyJZLx79xFYVRPR ahnziVvw2YVlsiOYEcgO+TnI3HrTc/afYNDIUKwzeEeVPpNa+jddxeap+y2ni37p oBIXfQqR307Zy3qAsi4/sbSX -----END CERTIFICATE----- </code>
-----BEGIN CERTIFICATE-----
MIIFHjCCAwagAwIBAgIRAN5DF60GO8h5VmWPWG/07jwwDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMzA5MDZaFw0zNDEy
MTAyMzA5MDZaMCUxIzAhBgNVBAMMGkdJRlRCVVRUT04gSU5URVJNRURJQVRFIENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3FYjbUdoKenoOQLV4YDH
DiDOM8GDjLdwHFB8nX9hgR06wVkevepym0bvoDyksN1TXhn/z1A8qB2xqsSCauqM
rVRFpb1Ic5MsJT42uSJTghN/gsjsQmn+7m/7suKADGKRdxT8g93FaDNDPlAeYdBy
hdE9M4i8c9KIW2oo6+pL+jRKz3iVVasqS7Y00hgIyJcuN+Zpq67TXVOi9Fg4CoEV
+toYLE3/YczlTv/FWWj0p7GLZA3KOy243ooD4gz/Rt5+0p9BsuACFfmMHEIAfJzJ
p4j0CbqBpwG2azrru7jrIhqJ//6b95shXm/+AHCaVM2CnpNQ+qnFjVMs88rRmOh1
9c+PUBMBD40wql1eJzVlxATLX8Hm1VmmFnw7RY2LP8+AZrTK/KDZeWExmCAhj2n/
oV1b41fNNEg5xt2OApsEzL3IdyxN64n88mJV2KKCK728Svo/jodgcS9Ilw6+DQ76
OkyMOQybx69AG5JrpIV1dFoVKC0tqA/DRV/rSgRv23XivSxJ34qz2iSWbpYKCLpN
tlhTY3e8MakTtT1kAT+VhOaXDkso+jXq88yQR6bo+ZjI28/hwKcy/fpW2pYN/rZx
A++uRWAiQ2CKBnkPyyz5S3kOpleGm0RMDTIgwawBXl5WWna0NnB1+pvQ1dzfERrf
9bANNmZpBtWveSsXpVd4t4MCAwEAAaNWMFQwHQYDVR0OBBYEFOr7YkD5s8FyqtIO
2uRgKHSEUIQmMB8GA1UdIwQYMBaAFMziSfDTimORf/ewLDNidkvhTTC5MBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAFavRSIpnirwjm0/mViN
xWD3Hk/NAtxHz5+t1XMM709DdZYhXvHQsFdSV2vpLjiWtfx6xOmIQoqld4FrZOGa
R5xiEfr7khGQ5CZpoiafp1ms3DdZb/WLqMhQ8wopayaVkS5QN3IpHTu8Vx7lRzjs
etta+JOdxgE21nZUNHaeOA2vpQT5WwTNq6qsmjgKf5dD0iE8QgidIGZo6fMdsTMh
eFSfXWMj6xwi/ROS5OIh/PWcLGtCPFgUxuGHEi+KGuDrDS45ygy8fT5z+hl6E8WY
KHZ5F9jI/LSsSN+ySBKjZI2K35td7hayFW2rLawmpOnPZYhB5i6fyuX7BcBI9CDv
DTaY5onWRoWGlDzT2b8P9u4P7AiyFK7Ow4w9K6Kl4qI65N+wOyzk0dU10yt9ZksP
fbGPfqlzrk0+9JYvGZVWpRYa1Bxv/sEatUqxLt9iNlhy8OC+Nt3bPo8750QMvEIJ
MX7KTjb7VSLK62jSqc9FDseLK/iH9L2AWt2WCSIQJ6T5J0Duo/++RKY8GXGJMwI1
uIyd4XtSK1iTJED0nZ9z2C4jbrjj2iy+/A5Vu2o85Y8vZyiYOpyJZLx79xFYVRPR
ahnziVvw2YVlsiOYEcgO+TnI3HrTc/afYNDIUKwzeEeVPpNa+jddxeap+y2ni37p
oBIXfQqR307Zy3qAsi4/sbSX
-----END CERTIFICATE-----

host cert is:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>-----BEGIN CERTIFICATE-----
MIIGNjCCBB6gAwIBAgIRALyPo138h9hNmmY/HPCBccUwDQYJKoZIhvcNAQELBQAw
JTEjMCEGA1UEAwwaR0lGVEJVVFRPTiBJTlRFUk1FRElBVEUgQ0EwHhcNMjQxMjEz
MTkwMzQ0WhcNMzQxMjExMTkwMzQ0WjB3MQswCQYDVQQGEwJBVTEMMAoGA1UECAwD
TlNXMQ8wDQYDVQQHDAZTeWRuZXkxFTATBgNVBAoMDFByYWN0aWNlIFB0eTEZMBcG
A1UECwwQQ3VzdG9tZXIgU3VwcG9ydDEXMBUGA1UEAwwOZ2lmdGJ1dHRvbi5jb20w
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDX5iEqSbhvkiZ0E3NCU1Ms
YvlEw/t4Xjzdd4rhLHQsLXpiO3n8CZj+/DQrWwiy15JjWeboWkM8bxAvYZ3+1cY1
jUl1xYNZ0V0mEu3BZcJT4bgBF30twRcmmOwWLAtJPAsSRI228ddUDXl9/bVHooi7
ST4ekoaHIPa3hP/oX5ZNDQHaFj22YCy38/58oIfPtm8mP24TA/xc8rIxFixUpp2n
o8iuQdpM1ncX3i0SKhugMni+jLhXTzM7dF16K1aq0WvMdx8/MxyjtXxCWnrSFGV2
lNQFScRn6VyZT81w9VAVoKJkUU+qsaKad2pw3243Batsq1mFsF5yo8spdbkapvuM
SVbJm47fCWeHK625tI/zpv7ql2hBy+YLvyKEG1Ci1A146p2+ClVQtxcIg17ry18G
/XMgtyyf3ABWfTTQxAcA4uzlPS4xkMpRUfCQfvYWwh7gCL4nj6+Wk63xJvOaHvWI
ttcPCZYkjCGf+5w+7zHoX7r4cSCBar8cJN02ZPyPPey9PrUswi8iz1nxsxgh1Qdt
SLwSkofEyVMcbrl7/7WCyZBt0q20BjcCc4S++s7RrXlwunxXumxkcP2nik4rFReU
P2VpNENfxT7HkrQIwbZCAlYxaco/OmmF9Oqz5EfVdvz10Rm0woZlcs49NdcZEkLC
NLG92kcL8booGaneX1wGEQIDAQABo4IBDTCCAQkwCQYDVR0TBAIwADARBglghkgB
hvhCAQEEBAMCBkAwSQYJYIZIAYb4QgENBDwWOlNlbGYtU2lnbmVkIENlcnRpZmlj
YXRlIGdlbmVyYXRlZCBieSBPcGVuU1NMIChtaWQtY2EuY29uZikwHQYDVR0OBBYE
FP65D6HnLkAfJZ5vdJEecVfB2gIrMFAGA1UdIwRJMEeAFOr7YkD5s8FyqtIO2uRg
KHSEUIQmoRykGjAYMRYwFAYDVQQDDA1HSUZUQlVUVE9OIENBghEA3kMXrQY7yHlW
ZY9Yb/TuPDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQBtaH73uOIp/zXxMeZrFNPINnh80Z60
kBInqtdVd8LBKgdJCiXu0uVlh+1Do4xszQi7YtJUgUgLckdueXOq9DUHvOXNXfLB
ByCsqDrYMd5+imckwLDYjARMT/Ih9GbFNUEYbtym5k/pHxKJahLEWSUKeLKXCnNT
yHYAXqbzxapltQekG1+OofU9wGXQVxBRg65NPaCyfOFldPWeh38kKw8A49kQwc5T
x29oxcECHiqxz4RwvxKYlamoG/d0njlK3y3aAxMou31YhON9EltMEnGVM+awzfcn
cr5xUSRK0MPYwwqiSUZySSpyC+bA/1rx1Bd2t8Oohnqe9ZzznJS5qhHuza3ngGzo
dFp4CMe+yHbaLTSF4I8zxSh8qd0QCtmnIz0UdZ4IMegqHGfH3OsRdLjBhbfaYw2H
De7s/+34LASGKV9jABYIT8jYQS9QHMBocqa/xnYKuIJ/mCl2g2nXx3Zf+AiEP965
JFUIu/6syKmzb8vygEYkQCEW/z45UcQdmH6KFwHQ5FB15b/zN/0z3l/rQXJ9zel/
y0sAEd/wZ+7z2ry2SUeMVFf1hejutZ5AD9u+q3MMZ8REqGM+r7tg9uSkKs0lf1wP
bH9nU1oXBrNQPqMzkEvwObIJEPP/AwuT6R73LbfEBXXLiDxhouYQUIb2oIKg0iHr
yeC0jEePh5kYWw==
-----END CERTIFICATE----
</code>
<code>-----BEGIN CERTIFICATE----- MIIGNjCCBB6gAwIBAgIRALyPo138h9hNmmY/HPCBccUwDQYJKoZIhvcNAQELBQAw JTEjMCEGA1UEAwwaR0lGVEJVVFRPTiBJTlRFUk1FRElBVEUgQ0EwHhcNMjQxMjEz MTkwMzQ0WhcNMzQxMjExMTkwMzQ0WjB3MQswCQYDVQQGEwJBVTEMMAoGA1UECAwD TlNXMQ8wDQYDVQQHDAZTeWRuZXkxFTATBgNVBAoMDFByYWN0aWNlIFB0eTEZMBcG A1UECwwQQ3VzdG9tZXIgU3VwcG9ydDEXMBUGA1UEAwwOZ2lmdGJ1dHRvbi5jb20w ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDX5iEqSbhvkiZ0E3NCU1Ms YvlEw/t4Xjzdd4rhLHQsLXpiO3n8CZj+/DQrWwiy15JjWeboWkM8bxAvYZ3+1cY1 jUl1xYNZ0V0mEu3BZcJT4bgBF30twRcmmOwWLAtJPAsSRI228ddUDXl9/bVHooi7 ST4ekoaHIPa3hP/oX5ZNDQHaFj22YCy38/58oIfPtm8mP24TA/xc8rIxFixUpp2n o8iuQdpM1ncX3i0SKhugMni+jLhXTzM7dF16K1aq0WvMdx8/MxyjtXxCWnrSFGV2 lNQFScRn6VyZT81w9VAVoKJkUU+qsaKad2pw3243Batsq1mFsF5yo8spdbkapvuM SVbJm47fCWeHK625tI/zpv7ql2hBy+YLvyKEG1Ci1A146p2+ClVQtxcIg17ry18G /XMgtyyf3ABWfTTQxAcA4uzlPS4xkMpRUfCQfvYWwh7gCL4nj6+Wk63xJvOaHvWI ttcPCZYkjCGf+5w+7zHoX7r4cSCBar8cJN02ZPyPPey9PrUswi8iz1nxsxgh1Qdt SLwSkofEyVMcbrl7/7WCyZBt0q20BjcCc4S++s7RrXlwunxXumxkcP2nik4rFReU P2VpNENfxT7HkrQIwbZCAlYxaco/OmmF9Oqz5EfVdvz10Rm0woZlcs49NdcZEkLC NLG92kcL8booGaneX1wGEQIDAQABo4IBDTCCAQkwCQYDVR0TBAIwADARBglghkgB hvhCAQEEBAMCBkAwSQYJYIZIAYb4QgENBDwWOlNlbGYtU2lnbmVkIENlcnRpZmlj YXRlIGdlbmVyYXRlZCBieSBPcGVuU1NMIChtaWQtY2EuY29uZikwHQYDVR0OBBYE FP65D6HnLkAfJZ5vdJEecVfB2gIrMFAGA1UdIwRJMEeAFOr7YkD5s8FyqtIO2uRg KHSEUIQmoRykGjAYMRYwFAYDVQQDDA1HSUZUQlVUVE9OIENBghEA3kMXrQY7yHlW ZY9Yb/TuPDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQBtaH73uOIp/zXxMeZrFNPINnh80Z60 kBInqtdVd8LBKgdJCiXu0uVlh+1Do4xszQi7YtJUgUgLckdueXOq9DUHvOXNXfLB ByCsqDrYMd5+imckwLDYjARMT/Ih9GbFNUEYbtym5k/pHxKJahLEWSUKeLKXCnNT yHYAXqbzxapltQekG1+OofU9wGXQVxBRg65NPaCyfOFldPWeh38kKw8A49kQwc5T x29oxcECHiqxz4RwvxKYlamoG/d0njlK3y3aAxMou31YhON9EltMEnGVM+awzfcn cr5xUSRK0MPYwwqiSUZySSpyC+bA/1rx1Bd2t8Oohnqe9ZzznJS5qhHuza3ngGzo dFp4CMe+yHbaLTSF4I8zxSh8qd0QCtmnIz0UdZ4IMegqHGfH3OsRdLjBhbfaYw2H De7s/+34LASGKV9jABYIT8jYQS9QHMBocqa/xnYKuIJ/mCl2g2nXx3Zf+AiEP965 JFUIu/6syKmzb8vygEYkQCEW/z45UcQdmH6KFwHQ5FB15b/zN/0z3l/rQXJ9zel/ y0sAEd/wZ+7z2ry2SUeMVFf1hejutZ5AD9u+q3MMZ8REqGM+r7tg9uSkKs0lf1wP bH9nU1oXBrNQPqMzkEvwObIJEPP/AwuT6R73LbfEBXXLiDxhouYQUIb2oIKg0iHr yeC0jEePh5kYWw== -----END CERTIFICATE---- </code>
-----BEGIN CERTIFICATE-----
MIIGNjCCBB6gAwIBAgIRALyPo138h9hNmmY/HPCBccUwDQYJKoZIhvcNAQELBQAw
JTEjMCEGA1UEAwwaR0lGVEJVVFRPTiBJTlRFUk1FRElBVEUgQ0EwHhcNMjQxMjEz
MTkwMzQ0WhcNMzQxMjExMTkwMzQ0WjB3MQswCQYDVQQGEwJBVTEMMAoGA1UECAwD
TlNXMQ8wDQYDVQQHDAZTeWRuZXkxFTATBgNVBAoMDFByYWN0aWNlIFB0eTEZMBcG
A1UECwwQQ3VzdG9tZXIgU3VwcG9ydDEXMBUGA1UEAwwOZ2lmdGJ1dHRvbi5jb20w
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDX5iEqSbhvkiZ0E3NCU1Ms
YvlEw/t4Xjzdd4rhLHQsLXpiO3n8CZj+/DQrWwiy15JjWeboWkM8bxAvYZ3+1cY1
jUl1xYNZ0V0mEu3BZcJT4bgBF30twRcmmOwWLAtJPAsSRI228ddUDXl9/bVHooi7
ST4ekoaHIPa3hP/oX5ZNDQHaFj22YCy38/58oIfPtm8mP24TA/xc8rIxFixUpp2n
o8iuQdpM1ncX3i0SKhugMni+jLhXTzM7dF16K1aq0WvMdx8/MxyjtXxCWnrSFGV2
lNQFScRn6VyZT81w9VAVoKJkUU+qsaKad2pw3243Batsq1mFsF5yo8spdbkapvuM
SVbJm47fCWeHK625tI/zpv7ql2hBy+YLvyKEG1Ci1A146p2+ClVQtxcIg17ry18G
/XMgtyyf3ABWfTTQxAcA4uzlPS4xkMpRUfCQfvYWwh7gCL4nj6+Wk63xJvOaHvWI
ttcPCZYkjCGf+5w+7zHoX7r4cSCBar8cJN02ZPyPPey9PrUswi8iz1nxsxgh1Qdt
SLwSkofEyVMcbrl7/7WCyZBt0q20BjcCc4S++s7RrXlwunxXumxkcP2nik4rFReU
P2VpNENfxT7HkrQIwbZCAlYxaco/OmmF9Oqz5EfVdvz10Rm0woZlcs49NdcZEkLC
NLG92kcL8booGaneX1wGEQIDAQABo4IBDTCCAQkwCQYDVR0TBAIwADARBglghkgB
hvhCAQEEBAMCBkAwSQYJYIZIAYb4QgENBDwWOlNlbGYtU2lnbmVkIENlcnRpZmlj
YXRlIGdlbmVyYXRlZCBieSBPcGVuU1NMIChtaWQtY2EuY29uZikwHQYDVR0OBBYE
FP65D6HnLkAfJZ5vdJEecVfB2gIrMFAGA1UdIwRJMEeAFOr7YkD5s8FyqtIO2uRg
KHSEUIQmoRykGjAYMRYwFAYDVQQDDA1HSUZUQlVUVE9OIENBghEA3kMXrQY7yHlW
ZY9Yb/TuPDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQBtaH73uOIp/zXxMeZrFNPINnh80Z60
kBInqtdVd8LBKgdJCiXu0uVlh+1Do4xszQi7YtJUgUgLckdueXOq9DUHvOXNXfLB
ByCsqDrYMd5+imckwLDYjARMT/Ih9GbFNUEYbtym5k/pHxKJahLEWSUKeLKXCnNT
yHYAXqbzxapltQekG1+OofU9wGXQVxBRg65NPaCyfOFldPWeh38kKw8A49kQwc5T
x29oxcECHiqxz4RwvxKYlamoG/d0njlK3y3aAxMou31YhON9EltMEnGVM+awzfcn
cr5xUSRK0MPYwwqiSUZySSpyC+bA/1rx1Bd2t8Oohnqe9ZzznJS5qhHuza3ngGzo
dFp4CMe+yHbaLTSF4I8zxSh8qd0QCtmnIz0UdZ4IMegqHGfH3OsRdLjBhbfaYw2H
De7s/+34LASGKV9jABYIT8jYQS9QHMBocqa/xnYKuIJ/mCl2g2nXx3Zf+AiEP965
JFUIu/6syKmzb8vygEYkQCEW/z45UcQdmH6KFwHQ5FB15b/zN/0z3l/rQXJ9zel/
y0sAEd/wZ+7z2ry2SUeMVFf1hejutZ5AD9u+q3MMZ8REqGM+r7tg9uSkKs0lf1wP
bH9nU1oXBrNQPqMzkEvwObIJEPP/AwuT6R73LbfEBXXLiDxhouYQUIb2oIKg0iHr
yeC0jEePh5kYWw==
-----END CERTIFICATE----

Any ideas about what is causing the problem are very appreciated!

3

Here the config files and commands to generate the certificates:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code># root-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Root CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
# intermediate-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Intermediate CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
# server.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Server
[v3_ca]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = giftbutton.com
# client.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Client
[v3_ca]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
</code>
<code># root-ca.conf [req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] C = AU O = giftbutton OU = My Division CN = Root CA [v3_ca] keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical, CA:true subjectKeyIdentifier = hash # intermediate-ca.conf [req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] C = AU O = giftbutton OU = My Division CN = Intermediate CA [v3_ca] keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical, CA:true subjectKeyIdentifier = hash # server.conf [req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] C = AU O = giftbutton OU = My Division CN = Mongo Server [v3_ca] keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = giftbutton.com # client.conf [req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] C = AU O = giftbutton OU = My Division CN = Mongo Client [v3_ca] keyUsage = digitalSignature extendedKeyUsage = clientAuth </code>
# root-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Root CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash


# intermediate-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Intermediate CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash


# server.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Server
[v3_ca]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = giftbutton.com


# client.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Client
[v3_ca]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth

Many tutorials generate the public/private key with openssl genrsa .... When you use the key only for one certificate, then it is easier to create the key automatically with the certificate (option -newkey 4096). It’s one command less.

Typically when you need a certificate then you create a certificate request and send it to the person/department who owns the CA. They take your certificate request, sign it with their CA and return back the signed certificate to you. When you are the owner of the CA, then this step is not needed. You can create and sign the certificate request with a single command. It’s one more command less.

As it looks like you like to use server and client certificates and intermediate CA. So, it ends up in 4 certificates created by 4 commands:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>openssl req -config root-ca.conf -newkey 4096 -keyout root-ca.key -noenc -new -x509 -days 3650 -sha256 -copy_extensions copyall -extensions v3_ca -out root-ca.crt
openssl req -config intermediate-ca.conf -newkey 4096 -keyout intermediate-ca.key -noenc -new -x509 -days 3650 -CA root-ca.crt -CAkey root-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out intermediate-ca.crt
openssl req -config server.conf -newkey 4096 -keyout server.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out server.crt
openssl req -config client.conf -newkey 4096 -keyout client.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out client.crt
</code>
<code>openssl req -config root-ca.conf -newkey 4096 -keyout root-ca.key -noenc -new -x509 -days 3650 -sha256 -copy_extensions copyall -extensions v3_ca -out root-ca.crt openssl req -config intermediate-ca.conf -newkey 4096 -keyout intermediate-ca.key -noenc -new -x509 -days 3650 -CA root-ca.crt -CAkey root-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out intermediate-ca.crt openssl req -config server.conf -newkey 4096 -keyout server.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out server.crt openssl req -config client.conf -newkey 4096 -keyout client.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out client.crt </code>
openssl req -config root-ca.conf -newkey 4096 -keyout root-ca.key -noenc -new -x509 -days 3650 -sha256 -copy_extensions copyall -extensions v3_ca -out root-ca.crt

openssl req -config intermediate-ca.conf -newkey 4096 -keyout intermediate-ca.key -noenc -new -x509 -days 3650 -CA root-ca.crt -CAkey root-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out intermediate-ca.crt

openssl req -config server.conf -newkey 4096 -keyout server.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out server.crt

openssl req -config client.conf -newkey 4096 -keyout client.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out client.crt

Instead of a config file, you can also put all parameters in command line. So, instead of -config client.conf it might be possible to use -subj "C=AU/O=giftbutton/OU=My Division/CN=Mongo Client" -addext "keyUsage=critical/keyCertSign/cRLSign" -addext "basicConstraints=critical,CA:true" -addext "subjectKeyIdentifier=hash" – but I did not test!

In order to use them, you have to combine them into files:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>cat intermediate-ca.crt root-ca.crt > ca-chain.crt
cat client.crt client.key > client.pem
cat server.crt server.key > server.pem
</code>
<code>cat intermediate-ca.crt root-ca.crt > ca-chain.crt cat client.crt client.key > client.pem cat server.crt server.key > server.pem </code>
cat intermediate-ca.crt root-ca.crt > ca-chain.crt
cat client.crt client.key > client.pem
cat server.crt server.key > server.pem

Then they are ready to use. On the server side use

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>net:
port: 27017
bindIpAll: true
tls:
mode: requireTLS
certificateKeyFile: server.pem
CAFile: ca-chain.crt
</code>
<code>net: port: 27017 bindIpAll: true tls: mode: requireTLS certificateKeyFile: server.pem CAFile: ca-chain.crt </code>
net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: server.pem
    CAFile: ca-chain.crt

And in Compass use connection string like this:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<code>mongodb://user:[email protected]:27017/?authSource=admin&tls=true&tlsCertificateKeyFile=client.pem&tlsCAFile=ca-chain.crt
</code>
<code>mongodb://user:[email protected]:27017/?authSource=admin&tls=true&tlsCertificateKeyFile=client.pem&tlsCAFile=ca-chain.crt </code>
mongodb://user:[email protected]:27017/?authSource=admin&tls=true&tlsCertificateKeyFile=client.pem&tlsCAFile=ca-chain.crt

Note:

Download latest version of openssl (version 3.4). In older version option -copy_extensions copyall was not supported and you would need to put the [v3_ca] section into an extension config-file and load this file with -extensions v3_ca -extfile ....

As already mentioned, I suggest to download and install XCA. It is very simple to use, you can import existing (working) certificate with simple copy/paste or drag/drop. Then you can check the properties, and create similar certificates or requests according to your need and you can export them in any format you may desire. It’s really a helpful tool to learn the secrets of x.509 certificates.

1

Trang chủ Giới thiệu Sinh nhật bé trai Sinh nhật bé gái Tổ chức sự kiện Biểu diễn giải trí Dịch vụ khác Trang trí tiệc cưới Tổ chức khai trương Tư vấn dịch vụ Thư viện ảnh Tin tức - sự kiện Liên hệ Chú hề sinh nhật Trang trí YEAR END PARTY công ty Trang trí tất niên cuối năm Trang trí tất niên xu hướng mới nhất Trang trí sinh nhật bé trai Hải Đăng Trang trí sinh nhật bé Khánh Vân Trang trí sinh nhật Bích Ngân Trang trí sinh nhật bé Thanh Trang Thuê ông già Noel phát quà Biểu diễn xiếc khỉ Xiếc quay đĩa Dịch vụ tổ chức sự kiện 5 sao Thông tin về chúng tôi Dịch vụ sinh nhật bé trai Dịch vụ sinh nhật bé gái Sự kiện trọn gói Các tiết mục giải trí Dịch vụ bổ trợ Tiệc cưới sang trọng Dịch vụ khai trương Tư vấn tổ chức sự kiện Hình ảnh sự kiện Cập nhật tin tức Liên hệ ngay Thuê chú hề chuyên nghiệp Tiệc tất niên cho công ty Trang trí tiệc cuối năm Tiệc tất niên độc đáo Sinh nhật bé Hải Đăng Sinh nhật đáng yêu bé Khánh Vân Sinh nhật sang trọng Bích Ngân Tiệc sinh nhật bé Thanh Trang Dịch vụ ông già Noel Xiếc thú vui nhộn Biểu diễn xiếc quay đĩa Dịch vụ tổ chức tiệc uy tín Khám phá dịch vụ của chúng tôi Tiệc sinh nhật cho bé trai Trang trí tiệc cho bé gái Gói sự kiện chuyên nghiệp Chương trình giải trí hấp dẫn Dịch vụ hỗ trợ sự kiện Trang trí tiệc cưới đẹp Khởi đầu thành công với khai trương Chuyên gia tư vấn sự kiện Xem ảnh các sự kiện đẹp Tin mới về sự kiện Kết nối với đội ngũ chuyên gia Chú hề vui nhộn cho tiệc sinh nhật Ý tưởng tiệc cuối năm Tất niên độc đáo Trang trí tiệc hiện đại Tổ chức sinh nhật cho Hải Đăng Sinh nhật độc quyền Khánh Vân Phong cách tiệc Bích Ngân Trang trí tiệc bé Thanh Trang Thuê dịch vụ ông già Noel chuyên nghiệp Xem xiếc khỉ đặc sắc Xiếc quay đĩa thú vị
Trang chủ Giới thiệu Sinh nhật bé trai Sinh nhật bé gái Tổ chức sự kiện Biểu diễn giải trí Dịch vụ khác Trang trí tiệc cưới Tổ chức khai trương Tư vấn dịch vụ Thư viện ảnh Tin tức - sự kiện Liên hệ Chú hề sinh nhật Trang trí YEAR END PARTY công ty Trang trí tất niên cuối năm Trang trí tất niên xu hướng mới nhất Trang trí sinh nhật bé trai Hải Đăng Trang trí sinh nhật bé Khánh Vân Trang trí sinh nhật Bích Ngân Trang trí sinh nhật bé Thanh Trang Thuê ông già Noel phát quà Biểu diễn xiếc khỉ Xiếc quay đĩa
Thiết kế website Thiết kế website Thiết kế website Cách kháng tài khoản quảng cáo Mua bán Fanpage Facebook Dịch vụ SEO Tổ chức sinh nhật