1

I'm writing a server in Go that uses MongoDB and I was doing some research on how to enable SSL for the connection to the database. I found several examples that explain how to add the CA file. Like so:

mongo.NewClientWithOptions(connectionString, mongo.ClientOpt.SSLCaFile(caFilePath))

I'm using a hosted database on Atlas and they state that all connections use SSL by default. This answer on a different question shows how to connect to Atlas with Go but the code example doesn't use a CA file. I also couldn't find an option to download the CA file from Atlas that I could use.

This confuses me a bit and leads to the following questions. When is it necessary to provide a CA file like shown above to use SSL? If it's always required for SSL to provide a CA file, where do I get the CA file from to connect to a managed cluster on Atlas?

jz22
  • 2,328
  • 5
  • 31
  • 50

2 Answers2

3

You always need a CA certificate to validate the server when initiating a TLS connection. Sometimes this is already installed on your platform and used automatically. You have to provide a CA file during connection when such a root certificate is not available. The CA file is used to validate the certificate presented by the server. A trusted third party provides this CA, and also (possibly through a chain of trusted parties) provides a certificate to the server, so you can validate the server is who claims it is by validating its certificate using the CA.

All platforms come with an initial set of root certificates that can validate well-known third-party generated certificates. The mongodb server you're connecting to is probably using such a certificate, and thus, your OS certificates can be used to validate it. If you had your own PKI with your own CA not validated by a third party, then you'd need a separate CA file signed by your own CA. Then you'd need to pass that CA file to validate the server, because your root certificate will not contain your custom CA.

Burak Serdar
  • 46,455
  • 3
  • 40
  • 59
2

The CA file specifies which self-signed root certificates you trust, and can include intermediate certificate authorities as well.

When the application connects to the server, the server sends its certificate as part of the handshake. The server's certificate was digitally signed.

In order to check that the server certificate was not tampered with, the issuer's certificate is consulted, which contains a public key that can be used to validate the digital signature.

If the issuer was an intermediate CA, then its certificate was also signed by another CA, so that CA's certificate will be consulted to validate the signature on the intermediate certificate.

This continues until the chain reaches a certificate that was signed by itself. This is the root certificate. Since it signs itself, you have to explicitly indicate that you trust it in order to trust the entire chain, including the server being connected to.

The bottom line here is you need to provide a CA file when:

  • You care about verifying the identity of the server you are connecting to (i.e. preventing man in the middle attacks), and
  • The root certificate will not already be trusted implicitly by inclusion in a local trust store
Joe
  • 25,000
  • 3
  • 22
  • 44