How to manage private keys
You can manage the private keys used by the charm to generate the certificate signing requests (CSR), by storing the private key in a juju secret and then referencing the secret in the charm configuration.
See also: Juju | How to manage secrets
Generate private keys
The recommendation is to use a private key per MongoDB application and per encryption (peer-to-peer or client-to-server).
Generate as many private keys as needed, using the following command:
openssl genrsa -out <private-key-name>.pem 3072
Create secrets
Create a juju secret for each private key generated:
Note: Passing keys to juju should only be done with base64 -w0, not cat.
juju add-secret <secret-name> private-key=$(base64 -w0 <private-key-name>.pem)
The command will output a secret URI similar to the example below, which you will need shortly:
secret:ctbirhuutr9sr8mgrmpg
Grant the secret to your MongoDB application:
juju grant-secret <secret-name> <application-name>
Reference the secret in the charm configuration
According to the required TLS encryption, set the configuration option in your MongoDB application to the secret’s URI obtained in the previous step:
Note: make sure to include the secret: prefix.
Peer-to-peer TLS
juju config <application-name> tls-peer-private-key=<secret-uri>`
Client-to-server TLS
juju config <application-name> tls-client-private-key=secret:cuni0uh34trs5tihuf9g`