Setting Up MongoDB TLS Certificates with BackupMyOrg

ℹ️Overview

This guide walks through enabling TLS encryption on a self-hosted MongoDB instance running on Windows and connecting it to BackupMyOrg. The process exports an existing IIS certificate (.pfx), converts it to PEM format, configures mongod.cfg, and updates the BackupMyOrg nodeconfig.json.

Prerequisites

• MongoDB 4.2 or later installed on Windows (the net.tls configuration block used in this guide requires 4.2+)

• OpenSSL for Windows — typically bundled with Git for Windows at C:\Program Files\Git\usr\bin\openssl.exe, or available from Win32 OpenSSL

• An SSL/TLS certificate already installed in IIS (either a domain wildcard cert such as *.geopowered.com or a localhost/self-signed cert)

• BackupMyOrg installed with access to its nodeconfig.json

Step 1 – Export the .pfx certificate from IIS

1. Open IIS Manager (inetmgr) and select the server node in the left-hand Connections pane.

2. Double-click Server Certificates in the center pane.

3. Right-click the certificate you want to use and choose Export…

4. Set the export path to C:\test\iis.pfx, enter a password when prompted, and click OK.

⚠️Important – note your PFX password

You will need this password in Step 2 when running the OpenSSL conversion command. After conversion, the PEM file will be unencrypted, so keep it in a protected directory.

Step 2 – Convert .pfx to PEM using OpenSSL

MongoDB on Windows requires an unencrypted PEM file — it will fail to start if the private key inside the PEM is passphrase-protected. The -nodes flag below strips the passphrase, which is required.

Open a Command Prompt or PowerShell window and run:

You will be prompted to enter the Import Password — this is the password you set when exporting the .pfx in Step 1.

Where is openssl.exe?If OpenSSL is not in your system PATH, provide the full path. Common locations:

• C:\Program Files\Git\usr\bin\openssl.exe (Git for Windows)

• C:\Program Files\OpenSSL-Win64\bin\openssl.exe (Win32 OpenSSL installer)

Example with a full path:

After the command completes, verify that C:\test\mongo.pem exists and that it contains both a -----BEGIN CERTIFICATE----- and a -----BEGIN PRIVATE KEY----- block.

Step 3 – Configure MongoDB TLS (mongod.cfg)

Open mongod.cfg (default location: C:\Program Files\MongoDB\Server\<version>\bin\mongod.cfg) in a text editor running as Administrator and add or update the net section as follows:

ℹ️

Use forward slashes in the file path

MongoDB's YAML config parser requires forward slashes (/) in file paths on Windows, even though Windows normally uses backslashes.

⚠️Encrypted PEM files are not supported on Windows

MongoDB on Windows will refuse to start if the PEM file's private key is encrypted. Ensure you used -nodes in Step 2.

After saving the file, restart the MongoDB service:

Confirm MongoDB started successfully by checking the Windows Event Viewer or the MongoDB log file (default: C:\Program Files\MongoDB\Server\<version>\log\mongod.log). Look for a line containing Listening on or confirm no TLS errors are present.

Step 4 – Configure BackupMyOrg (nodeconfig.json)

Open BackupMyOrg's nodeconfig.json and locate (or add) the mongoDB section. Update it to match the following, adjusting the hostname based on your certificate type (see Step 5):

Use double backslashes in JSON paths

JSON requires backslashes to be escaped. Use c:\\test\\mongo.pem, not c:\test\mongo.pem.

Step 5 – Hostname resolution (Windows hosts file)

The hostname in the MongoDB connection URL must match the Subject / Subject Alternative Name (SAN) in your certificate. TLS connections will fail if these do not match.

If using a localhost or self-signed certificate

Replace mongo.geopowered.com in nodeconfig.json with localhost or 127.0.0.1:

If using a domain/wildcard certificate (e.g., *.geopowered.com)

Keep the URL as mongo.geopowered.com in nodeconfig.json and add an entry to the Windows hosts file so that the hostname resolves locally.

1. Open Notepad as Administrator.

2. Open the file: C:\Windows\System32\drivers\etc\hosts

3. Add the following line at the bottom:

   127.0.0.1 mongo.geopowered.com

4. Save the file and verify resolution by running ping mongo.geopowered.com in a Command Prompt — it should resolve to 127.0.0.1.

⚠️bindIp must allow the resolved hostname

The mongod.cfg in Step 3 sets bindIp: 127.0.0.1. Since mongo.geopowered.com resolves to 127.0.0.1, this is fine for local use. If MongoDB needs to accept connections from other machines, add the server's network IP to bindIp (e.g., bindIp: 127.0.0.1,192.168.1.10).

Troubleshooting

MongoDB fails to start after editing mongod.cfg

Check the MongoDB log for TLS-related errors. Common causes:

• The PEM file path uses backslashes — replace with forward slashes.

• The PEM file's private key is encrypted — re-run the OpenSSL command with -nodes.

• The PEM file path or filename is incorrect — confirm the file exists at the specified path.

BackupMyOrg cannot connect to MongoDB

• Confirm the hostname in the url field matches the certificate's CN or SAN.

• Confirm the hosts file entry is present if using a domain cert.

• Verify MongoDB is running and listening on port 27017 (netstat -an | findstr 27017).

• Confirm the certLocation path uses double backslashes.

OpenSSL conversion prompts for a password but the PEM output is empty

You may have entered the wrong PFX password. Re-export the .pfx from IIS with a known password and retry.

TLS hostname verification error in logs

The hostname used in the connection string does not match the certificate. Ensure the URL hostname exactly matches a name on the certificate (CN or SAN entry) and that the hosts file entry is saved correctly.