Compass won't connect to MongoDB over TLS using OpenSSL certificates

Trying the tried and tested method of connecting Compass to MongoDB instance on VPS over TLS. If the certificates were from LetsEnctrypt CA (generated with CertBot), 2 files are needed:

1. CertAndKey.pem, containing host cert and it's priv key;
2. intermAndRoot.pem, containing Certbot's provided chain.pem and downloaded directly from LetsEncrypt website rootCA certificate.

This works fine. The connection gets established.

However the same isn't workingfor custom CA generated with OpenSSL. MongoDB log provides error "Unsuitable certificate purpose"

I followed this excellent playlist for creating the chain of OpenSSL certs: TechLAB

I believe I have done it correctly, since all the 3 certs are different and both interm and host certs do validate agains the root cert.

My Root CA is:

-----BEGIN CERTIFICATE-----
MIIFETCCAvmgAwIBAgIUbGwDAa8nWxKRBW4q3xpoEEo/C2YwDQYJKoZIhvcNAQEN
BQAwGDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMjE3NDNaFw0z
NDEyMTAyMjE3NDNaMBgxFjAUBgNVBAMMDUdJRlRCVVRUT04gQ0EwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDiNZ7a/FEjYuGjJ5jYICo/45PGcXXOScep
Jrf3r4OX/CzIPYX8Z87sm19FA3oPx8alNkxVax86w0gT7s153f4AoDHuHxLpJSuB
zxTN5PYJAR/vi1YUlpc1w7H5eBokUz2++29DLvrJs9EKYynC76uNSmLsfrg/d5gq
fJASkyCW6ARDSx3xAZuwMpZVW7Go+56G9J+w0y0cGMWRpOBcURTdfTJcSBVZil5+
EteQcyqm2Rs/jTgcNefvjkPOJOFVAOc2B2BL4XuZRKR8VbPTqQKRYCvg6KEWNzAf
mzDo5E87CwPu1f1gQ5XtKuLhdIu0rswMM6eIlhWvhpUrsrNJqBwnjyZngzV/CZr6
s3uOsKFJXt+vv0u7hR1T34PMG4MmE2sNmPYB/5wDUn/fs/M1jEc82GjmoyCNfVhM
n9dtkeK178NZh7yqAD5XitAxavj85UOoF0h5jUnItbszEI2tkvO6xufEo9TgC2y6
KBjyFi+o9QgtzxymMMM/wTxqNEgHDdtOgjXhhdBa+QfBnzQxKaOMNsPA+ncX5Z6G
L0kqeS3xkRlqR3a2BFB/K0hWmnuzJEiMDj7EHnV4uugoiXcuSvW/jsK7UdvbzkqU
4Sfhuh5znxA0fbneyMHEKFyHGgolvVz6FX2RNvHYrN5OcBTNolNP3yLKlLrj85pr
2bTLUjaxxwIDAQABo1MwUTAdBgNVHQ4EFgQUzOJJ8NOKY5F/97AsM2J2S+FNMLkw
HwYDVR0jBBgwFoAUzOJJ8NOKY5F/97AsM2J2S+FNMLkwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQ0FAAOCAgEAW/g3wYPZwsGWBelcuWKkxYAtiBaHaLE6KkJd
5Fm6gREceoQr6wx3k9wU5j34XHAsJ0EVDcToXooSjXAz0ItKyPN6YncAJL0iw2Ns
1bCPSCkUgIU4GXTUO9bd89uV3fQU7FaCwGiv0W/v1imSKenTAOwgTCl9sLuO1+3E
T/IEPvEiMV/YU8ZX1asmq57/SMjTXLAH8i/S5OZBie42pbd3g9ybHd0+4vK6BQFF
xdIr/TtyLywTHEEaiK4JWEW9P2UhSiwbHu3wdTPlV6O2ll7Scsa6jDllAHrac/up
kftJFQB7001or1qIysYkL1tyln/IX4frBHL6a/tqcVjn0QKEu4iOfBStRzTcM9Kp
9vzAk1rwGcuqtQWDChjX/cOHWMB/yobJjlSYCXmctvrwkw6ghXnIeDUbUM0j0LiK
etS/4WM4W8kjYwuUcdvtUjGqbplbpHovgd+yqVdUjT1s6z1qfO3w6ZPLg5IpD2Ef
7hTDYqlZNi7/kmosp7FhkzLZeR8K2aad3D0y+MuPoCUAgdVU5oXJhmcLgOhJhx3z
EwamaStqLwuh3OHnHVkwExB4GOJ6Zh2JXdpbxGsBmW9VCE7JVnx3kf1vfyx7LTnW
G3NbfChROxCTu7HsqPsuSlfQSbuc9dA6IOG77GR/slSiaMlH77z8PXeqNoIGTtJ6
4F7JL3I=
-----END CERTIFICATE-----

The intermediate cert is:

-----BEGIN CERTIFICATE-----
MIIFHjCCAwagAwIBAgIRAN5DF60GO8h5VmWPWG/07jwwDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEAwwNR0lGVEJVVFRPTiBDQTAeFw0yNDEyMTIyMzA5MDZaFw0zNDEy
MTAyMzA5MDZaMCUxIzAhBgNVBAMMGkdJRlRCVVRUT04gSU5URVJNRURJQVRFIENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3FYjbUdoKenoOQLV4YDH
DiDOM8GDjLdwHFB8nX9hgR06wVkevepym0bvoDyksN1TXhn/z1A8qB2xqsSCauqM
rVRFpb1Ic5MsJT42uSJTghN/gsjsQmn+7m/7suKADGKRdxT8g93FaDNDPlAeYdBy
hdE9M4i8c9KIW2oo6+pL+jRKz3iVVasqS7Y00hgIyJcuN+Zpq67TXVOi9Fg4CoEV
+toYLE3/YczlTv/FWWj0p7GLZA3KOy243ooD4gz/Rt5+0p9BsuACFfmMHEIAfJzJ
p4j0CbqBpwG2azrru7jrIhqJ//6b95shXm/+AHCaVM2CnpNQ+qnFjVMs88rRmOh1
9c+PUBMBD40wql1eJzVlxATLX8Hm1VmmFnw7RY2LP8+AZrTK/KDZeWExmCAhj2n/
oV1b41fNNEg5xt2OApsEzL3IdyxN64n88mJV2KKCK728Svo/jodgcS9Ilw6+DQ76
OkyMOQybx69AG5JrpIV1dFoVKC0tqA/DRV/rSgRv23XivSxJ34qz2iSWbpYKCLpN
tlhTY3e8MakTtT1kAT+VhOaXDkso+jXq88yQR6bo+ZjI28/hwKcy/fpW2pYN/rZx
A++uRWAiQ2CKBnkPyyz5S3kOpleGm0RMDTIgwawBXl5WWna0NnB1+pvQ1dzfERrf
9bANNmZpBtWveSsXpVd4t4MCAwEAAaNWMFQwHQYDVR0OBBYEFOr7YkD5s8FyqtIO
2uRgKHSEUIQmMB8GA1UdIwQYMBaAFMziSfDTimORf/ewLDNidkvhTTC5MBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAFavRSIpnirwjm0/mViN
xWD3Hk/NAtxHz5+t1XMM709DdZYhXvHQsFdSV2vpLjiWtfx6xOmIQoqld4FrZOGa
R5xiEfr7khGQ5CZpoiafp1ms3DdZb/WLqMhQ8wopayaVkS5QN3IpHTu8Vx7lRzjs
etta+JOdxgE21nZUNHaeOA2vpQT5WwTNq6qsmjgKf5dD0iE8QgidIGZo6fMdsTMh
eFSfXWMj6xwi/ROS5OIh/PWcLGtCPFgUxuGHEi+KGuDrDS45ygy8fT5z+hl6E8WY
KHZ5F9jI/LSsSN+ySBKjZI2K35td7hayFW2rLawmpOnPZYhB5i6fyuX7BcBI9CDv
DTaY5onWRoWGlDzT2b8P9u4P7AiyFK7Ow4w9K6Kl4qI65N+wOyzk0dU10yt9ZksP
fbGPfqlzrk0+9JYvGZVWpRYa1Bxv/sEatUqxLt9iNlhy8OC+Nt3bPo8750QMvEIJ
MX7KTjb7VSLK62jSqc9FDseLK/iH9L2AWt2WCSIQJ6T5J0Duo/++RKY8GXGJMwI1
uIyd4XtSK1iTJED0nZ9z2C4jbrjj2iy+/A5Vu2o85Y8vZyiYOpyJZLx79xFYVRPR
ahnziVvw2YVlsiOYEcgO+TnI3HrTc/afYNDIUKwzeEeVPpNa+jddxeap+y2ni37p
oBIXfQqR307Zy3qAsi4/sbSX
-----END CERTIFICATE-----

host cert is:

-----BEGIN CERTIFICATE-----
MIIGNjCCBB6gAwIBAgIRALyPo138h9hNmmY/HPCBccUwDQYJKoZIhvcNAQELBQAw
JTEjMCEGA1UEAwwaR0lGVEJVVFRPTiBJTlRFUk1FRElBVEUgQ0EwHhcNMjQxMjEz
MTkwMzQ0WhcNMzQxMjExMTkwMzQ0WjB3MQswCQYDVQQGEwJBVTEMMAoGA1UECAwD
TlNXMQ8wDQYDVQQHDAZTeWRuZXkxFTATBgNVBAoMDFByYWN0aWNlIFB0eTEZMBcG
A1UECwwQQ3VzdG9tZXIgU3VwcG9ydDEXMBUGA1UEAwwOZ2lmdGJ1dHRvbi5jb20w
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDX5iEqSbhvkiZ0E3NCU1Ms
YvlEw/t4Xjzdd4rhLHQsLXpiO3n8CZj+/DQrWwiy15JjWeboWkM8bxAvYZ3+1cY1
jUl1xYNZ0V0mEu3BZcJT4bgBF30twRcmmOwWLAtJPAsSRI228ddUDXl9/bVHooi7
ST4ekoaHIPa3hP/oX5ZNDQHaFj22YCy38/58oIfPtm8mP24TA/xc8rIxFixUpp2n
o8iuQdpM1ncX3i0SKhugMni+jLhXTzM7dF16K1aq0WvMdx8/MxyjtXxCWnrSFGV2
lNQFScRn6VyZT81w9VAVoKJkUU+qsaKad2pw3243Batsq1mFsF5yo8spdbkapvuM
SVbJm47fCWeHK625tI/zpv7ql2hBy+YLvyKEG1Ci1A146p2+ClVQtxcIg17ry18G
/XMgtyyf3ABWfTTQxAcA4uzlPS4xkMpRUfCQfvYWwh7gCL4nj6+Wk63xJvOaHvWI
ttcPCZYkjCGf+5w+7zHoX7r4cSCBar8cJN02ZPyPPey9PrUswi8iz1nxsxgh1Qdt
SLwSkofEyVMcbrl7/7WCyZBt0q20BjcCc4S++s7RrXlwunxXumxkcP2nik4rFReU
P2VpNENfxT7HkrQIwbZCAlYxaco/OmmF9Oqz5EfVdvz10Rm0woZlcs49NdcZEkLC
NLG92kcL8booGaneX1wGEQIDAQABo4IBDTCCAQkwCQYDVR0TBAIwADARBglghkgB
hvhCAQEEBAMCBkAwSQYJYIZIAYb4QgENBDwWOlNlbGYtU2lnbmVkIENlcnRpZmlj
YXRlIGdlbmVyYXRlZCBieSBPcGVuU1NMIChtaWQtY2EuY29uZikwHQYDVR0OBBYE
FP65D6HnLkAfJZ5vdJEecVfB2gIrMFAGA1UdIwRJMEeAFOr7YkD5s8FyqtIO2uRg
KHSEUIQmoRykGjAYMRYwFAYDVQQDDA1HSUZUQlVUVE9OIENBghEA3kMXrQY7yHlW
ZY9Yb/TuPDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQBtaH73uOIp/zXxMeZrFNPINnh80Z60
kBInqtdVd8LBKgdJCiXu0uVlh+1Do4xszQi7YtJUgUgLckdueXOq9DUHvOXNXfLB
ByCsqDrYMd5+imckwLDYjARMT/Ih9GbFNUEYbtym5k/pHxKJahLEWSUKeLKXCnNT
yHYAXqbzxapltQekG1+OofU9wGXQVxBRg65NPaCyfOFldPWeh38kKw8A49kQwc5T
x29oxcECHiqxz4RwvxKYlamoG/d0njlK3y3aAxMou31YhON9EltMEnGVM+awzfcn
cr5xUSRK0MPYwwqiSUZySSpyC+bA/1rx1Bd2t8Oohnqe9ZzznJS5qhHuza3ngGzo
dFp4CMe+yHbaLTSF4I8zxSh8qd0QCtmnIz0UdZ4IMegqHGfH3OsRdLjBhbfaYw2H
De7s/+34LASGKV9jABYIT8jYQS9QHMBocqa/xnYKuIJ/mCl2g2nXx3Zf+AiEP965
JFUIu/6syKmzb8vygEYkQCEW/z45UcQdmH6KFwHQ5FB15b/zN/0z3l/rQXJ9zel/
y0sAEd/wZ+7z2ry2SUeMVFf1hejutZ5AD9u+q3MMZ8REqGM+r7tg9uSkKs0lf1wP
bH9nU1oXBrNQPqMzkEvwObIJEPP/AwuT6R73LbfEBXXLiDxhouYQUIb2oIKg0iHr
yeC0jEePh5kYWw==
-----END CERTIFICATE----

Any ideas about what is causing the problem are very appreciated!

Here the config files and commands to generate the certificates:

# root-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Root CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash


# intermediate-ca.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Intermediate CA
[v3_ca]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash


# server.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Server
[v3_ca]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = giftbutton.com


# client.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = AU
O = giftbutton
OU = My Division
CN = Mongo Client
[v3_ca]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth

Many tutorials generate the public/private key with openssl genrsa .... When you use the key only for one certificate, then it is easier to create the key automatically with the certificate (option -newkey 4096). It's one command less.

Typically when you need a certificate then you create a certificate request and send it to the person/department who owns the CA. They take your certificate request, sign it with their CA and return back the signed certificate to you. When you are the owner of the CA, then this step is not needed. You can create and sign the certificate request with a single command. It's one more command less.

As it looks like you like to use server and client certificates and intermediate CA. So, it ends up in 4 certificates created by 4 commands:

openssl req -config root-ca.conf -newkey 4096 -keyout root-ca.key -noenc -new -x509 -days 3650 -sha256 -copy_extensions copyall -extensions v3_ca -out root-ca.crt

openssl req -config intermediate-ca.conf -newkey 4096 -keyout intermediate-ca.key -noenc -new -x509 -days 3650 -CA root-ca.crt -CAkey root-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out intermediate-ca.crt

openssl req -config server.conf -newkey 4096 -keyout server.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out server.crt

openssl req -config client.conf -newkey 4096 -keyout client.key -noenc -new -x509 -days 3650 -CA intermediate-ca.crt -CAkey intermediate-ca.key -sha256 -copy_extensions copyall -extensions v3_ca -out client.crt

Instead of a config file, you can also put all parameters in command line. So, instead of -config client.conf it might be possible to use -subj "C=AU/O=giftbutton/OU=My\ Division/CN=Mongo\ Client" -addext "keyUsage=critical/keyCertSign/cRLSign" -addext "basicConstraints=critical,CA:true" -addext "subjectKeyIdentifier=hash" - but I did not test!

In order to use them, you have to combine them into files:

cat intermediate-ca.crt root-ca.crt > ca-chain.crt
cat client.crt client.key > client.pem
cat server.crt server.key > server.pem

Then they are ready to use. On the server side use

net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: server.pem
    CAFile: ca-chain.crt

And in Compass use connection string like this:

mongodb://user:secret@giftbutton.com:27017/?authSource=admin&tls=true&tlsCertificateKeyFile=client.pem&tlsCAFile=ca-chain.crt

Note:

Download latest version of openssl (version 3.4). In older version option -copy_extensions copyall was not supported and you would need to put the [v3_ca] section into an extension config-file and load this file with -extensions v3_ca -extfile ....

As already mentioned, I suggest to download and install XCA. It is very simple to use, you can import existing (working) certificate with simple copy/paste or drag/drop. Then you can check the properties, and create similar certificates or requests according to your need and you can export them in any format you may desire. It's really a helpful tool to learn the secrets of x.509 certificates.