TLS/SSL Configuration for Clients
On this page
Clients must have support for TLS/SSL to connect to a
mongod
or a mongos
instance that require
TLS/SSL connections.
Note
The Linux 64-bit legacy x64 binaries of MongoDB do not include support for TLS/SSL.
MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
Important
A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority is beyond the scope of this document. This page assumes prior knowledge of TLS/SSL as well as access to valid certificates.
mongosh
Configuration (Using tls
Options)
Note
Starting in version 4.2, MongoDB provides tls
options that
corresponds to the ssl
options. The tls
options provide
identical functionality as the ssl
options since MongoDB has
always supported TLS 1.0 and later.
The procedures in this section use the tls
options. For
procedures using their ssl
aliases, see
mongosh
Configuration (Using ssl
Options).
mongosh
provides various TLS/SSL settings,
including:
TLS Option (New in 4.2) | Notes |
---|---|
Enables TLS/SSL connection. | |
Specifies the Changed in version 4.4: | |
If mongosh 's certificate key file is encrypted. | |
If running on Windows or macOS, use a certificate from the system certificate store. (New in version 4.0) This option is mutually exclusive with
Changed in version 4.4: |
For a complete list of mongosh
's tls
options, see mongosh-shell-tls.
For TLS/SSL connections, mongosh
validates the
certificate presented by the mongod
or
mongos
instance:
mongosh
verifies that the certificate is from the specified Certificate Authority (--tlsCAFile
. If the certificate is not from the specified CA,mongosh
will fail to connect.mongosh
verifies that the hostname (specified in--host
option or the connection string) matches theSAN
(or, ifSAN
is not present, theCN
) in the certificate presented by themongod
ormongos
. IfSAN
is present,mongosh
does not match against theCN
. If the hostname does not match theSAN
(orCN
),mongosh
will fail to connect.Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. In previous versions, MongoDB only supports comparisons of DNS names.
To connect
mongosh
to amongod
ormongos
that requires TLS/SSL, specify the--host
option or use a connection string to specify the hostname. All otherTLS/SSL
options must be specified using the command-line options.
Connect to MongoDB Instance Using Encryption (tls
Options)
Note
The procedure uses the tls
options (available starting in
MongoDB 4.2). For procedures using their ssl
aliases, see
mongosh
Configuration (Using ssl
Options).
To connect to a mongod
or mongos
instance
that requires encrypted communication,
start mongosh
with:
--host
and--tlsCAFile
to validate the server certificate.
For example, consider a mongod
instance running on
hostname.example.com
with the following options:
mongod --tlsMode requireTLS --tlsCertificateKeyFile <pem>
To connect to the instance, start mongosh
with
the following options:
mongosh --tls --host hostname.example.com --tlsCAFile /etc/ssl/caToValidateServerCertificates.pem
mongosh
verifies the certificate presented by
the mongod
instance against the specified hostname and
the CA file.
Connect to MongoDB Instance that Requires Client Certificates (tls
Options)
Note
The procedure uses the tls
options (available starting in
MongoDB 4.2). For procedures using their ssl
aliases, see
mongosh
Configuration (Using ssl
Options).
To connect to a mongod
or mongos
that
requires CA-signed client certificates, start mongosh
with:
--host
and the--tlsCAFile
to validate the server certificate,--tlsCertificateKeyFile
option to specify the client certificate to present to the server.
For example, consider a mongod
instance running on
hostname.example.com
with the following options:
mongod --tlsMode requireTLS --tlsCertificateKeyFile /etc/ssl/mongodb.pem --tlsCAFile /etc/ssl/caToValidateClientCertificates.pem
To connect to the instance, start mongosh
with the
following options:
mongosh --tls --host hostname.example.com --tlsCertificateKeyFile /etc/ssl/client.pem --tlsCAFile /etc/ssl/caToValidateServerCertificates.pem
Windows and macOS
To specify a client certificate from the system certificate store, use
the --tlsCertificateSelector
option instead of
--tlsCertificateKeyFile
.
If the CA file is also in the system certificate store, you can omit the
--tlsCAFile
option.
For example, if a certificate with the CN
(Common Name) of
myclient.example.net
and the accompanying CA file are both in the
macOS system certificate store, you can connect like this:
mongosh --tls --host hostname.example.com --tlsCertificateSelector subject="myclient.example.net"
These options are deprecated starting in MongoDB 4.2:
--ssl
--sslCAFile
--sslPEMKeyFile
--sslCertificateSelector
There are available in mongosh
, but you should use the tls
alternatives instead.
Avoid Use of --tlsAllowInvalidCertificates
Option
Warning
Although available, avoid using the
--tlsAllowInvalidCertificates
option if possible. If the use of
--tlsAllowInvalidCertificates
is necessary, only use the option on
systems where intrusion is not possible.
If mongosh
runs with the
--tlsAllowInvalidCertificates
option, mongosh
will not attempt to validate the server certificates. This
creates a vulnerability to expired mongod
and
mongos
certificates as well as to foreign processes
posing as valid mongod
or mongos
instances. If you only need to disable the validation of the
hostname in the TLS/SSL certificates, see
--tlsAllowInvalidHostnames
.
mongosh
Configuration (Using ssl
Options)
mongosh
provides various TLS/SSL settings, including:
SSL Option (Deprecated in 4.2) | Notes |
---|---|
--ssl | Enables TLS/SSL connection. |
--sslPEMKeyFile | |
--sslPEMKeyPassword | If mongosh 's certificate key file is encrypted. |
--sslCAFile | |
--sslCertificateSelector | If running on Windows or macOS, use a certificate from the
system certificate store. (New in version 4.0) |
For a complete list of ssl
options, see SSL Options.
For TLS/SSL connections, mongosh
validates the
certificate presented by the mongod
or
mongos
instance:
mongosh
verifies that the certificate is from the specified Certificate Authority--sslCAFile
. If the certificate is not from the specified CA,mongosh
will fail to connect.mongosh
verifies that the hostname (specified in--host
option or the connection string) matches theSAN
(or, ifSAN
is not present, theCN
) in the certificate presented by themongod
ormongos
. IfSAN
is present,mongosh
does not match against theCN
. If the hostname does not match theSAN
(orCN
),mongosh
will fail to connect.Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. In previous versions, MongoDB only supports comparisons of DNS names.
To connect
mongosh
to amongod
ormongos
that requires TLS/SSL, specify the--host
option or use a connection string to specify the hostname. All otherTLS/SSL
options must be specified using the command-line options.
Connect to MongoDB Instance Using Encryption (--ssl
Options)
Note
The procedure uses the ssl
options. For procedures using the
tls
aliases (available starting in MongoDB 4.2), see
mongo-shell-tls.
To connect to a mongod
or mongos
instance
that requires encrypted communication,
start mongosh
with:
--ssl
--host
and--sslCAFile
to validate the server certificate.
For example, consider a mongod
instance running on
hostname.example.com
with the following options:
mongod --sslMode requireSSL --sslPEMKeyFile <pem>
To connect to the instance, start mongosh
with the
following options:
mongosh --ssl --host hostname.example.com --sslCAFile /etc/ssl/caToValidateServerCertificates.pem
mongosh
verifies the certificate presented by
the mongod
instance against the specified hostname
and the CA file.
Connect to MongoDB Instance that Requires Client Certificates (ssl
Options)
Note
The procedure uses the ssl
options. For procedures using the
tls
aliases (available starting in MongoDB 4.2), see
mongosh
Configuration (Using tls
Options).
To connect to a mongod
or mongos
that
requires CA-signed client certificates, start mongosh
with:
--ssl
--host
and the--sslCAFile
to validate the server certificate,--sslPEMKeyFile
option to specify the client certificate to present to the server.
For example, consider a mongod
instance running on
hostname.example.com
with the following options:
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
To connect to the instance, start mongosh
with the
following options:
mongosh --ssl --host hostname.example.com --sslPEMKeyFile /etc/ssl/client.pem --sslCAFile /etc/ssl/ca.pem
On Windows and macOS
You can also use the --sslCertificateSelector
option to specify the
client certificate from the system certificate store instead of using
--sslPEMKeyFile
. If the CA file is also in the system certificate
store, you can omit the --sslCAFile
option.
For example, to use a certificate with the CN
(Common Name) of
myclient.example.net
and the CA file from the system certificate
store on macOS, start mongosh
with the following
options:
mongosh --ssl --host hostname.example.com --sslCertificateSelector subject=myclient.example.net
Avoid Use of --sslAllowInvalidCertificates
Option
Warning
Although available, avoid using the
--sslAllowInvalidCertificates
option if possible. If the use of
--sslAllowInvalidCertificates
is necessary, only use the option
on systems where intrusion is not possible.
If mongosh
(and other
MongoDB Tools) runs with the
--sslAllowInvalidCertificates
option,
mongosh
(and other
MongoDB Tools) will not attempt to validate
the server certificates. This creates a vulnerability to expired
mongod
and mongos
certificates as
well as to foreign processes posing as valid
mongod
or mongos
instances. If you
only need to disable the validation of the hostname in the
TLS/SSL certificates, see --sslAllowInvalidHostnames
.
MongoDB Atlas, MongoDB Cloud Manager and MongoDB Ops Manager
MongoDB Atlas uses TLS/SSL to encrypt the connections to your databases.
The MongoDB Cloud Manager and Ops Manager Monitoring agents use encrypted communication to gather its statistics. Because the agents already encrypt communications to the MongoDB Cloud Manager/Ops Manager servers, this is just a matter of enabling TLS/SSL support in MongoDB Cloud Manager/Ops Manager on a per host basis.
For more information, see:
MongoDB Drivers
The MongoDB Drivers support encrypted communication. See:
MongoDB Tools
Various MongoDB utility programs support encrypted communication. These tools include:
To use encrypted communication with these tools, use the same ssl
options as
mongosh
. See mongosh
Configuration (Using ssl
Options).