Use x.509 Certificate for Membership Authentication
MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. Sharded cluster members and replica set members can use x.509 certificates to verify their membership to the cluster or the replica set instead of using keyfiles. The membership authentication is an internal process.
Note
MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
Enabling internal authentication also enables Role-Based Access Control. Clients must authenticate as a user in order to connect and perform operations in the deployment.
See the Manage Users and Roles tutorial for instructions on adding users to the deployment.
See the Use x.509 Certificates to Authenticate Clients tutorial for instructions on using x.509 certificates for user authentication.
Important
A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, in particular x.509 certificates, and Certificate Authority is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates.
Member x.509 Certificate
Note
You must have valid x.509 certificates.
Starting in MongoDB 4.0, if you specify any of the following x.509 authentication options, an invalid certificate is sufficient only to establish a TLS connection but it is insufficient for authentication:
--sslAllowInvalidCertificates
ornet.ssl.allowInvalidCertificates: true
for MongoDB 4.0 and later--tlsAllowInvalidCertificates
ornet.tls.allowInvalidCertificates: true
for MongoDB 4.2 and later
Certificate Requirements
Use member certificates to verify membership to a sharded
cluster or a replica set. Member certificate file paths are
configured with the net.tls.clusterFile
and
net.tls.certificateKeyFile
options. Members have the
following configuration requirements:
Cluster member configuration must specify a non-empty value for at least one of the attributes used for authentication. By default, MongoDB accepts:
the Organization (
O
)the Organizational Unit (
OU
)the Domain Component (
DC
)
You can specify alternative attributes to use for authentication by setting
net.tls.clusterAuthX509.extensionValue
.Cluster member configuration must include the same
net.tls.clusterAuthX509.attributes
and use matching values. Attribute order doesn't matter. The following example setsO
andOU
, but notDC
:net: tls: clusterAuthX509: attributes: O=MongoDB, OU=MongoDB Server
The certificates have the following requirements:
A single Certificate Authority (CA) must issue all x.509 certificates for the members of a sharded cluster or a replica set.
At least one of the Subject Alternative Name (
SAN
) entries must match the server hostname used by other cluster members. When comparingSAN
s, MongoDB can compare either DNS names or IP addresses.If you don't specify
subjectAltName
, MongoDB compares the Common Name (CN) instead. However, this usage of CN is deprecated per RFC2818If the certificate used as the
certificateKeyFile
includesextendedKeyUsage
, the value must include bothclientAuth
("TLS Web Client Authentication") andserverAuth
("TLS Web Server Authentication").extendedKeyUsage = clientAuth, serverAuth If the certificate used as the
clusterFile
includesextendedKeyUsage
, the value must includeclientAuth
.extendedKeyUsage = clientAuth
Configure Replica Set/Sharded Cluster
Outside of rolling upgrade procedures, every component of a replica set or sharded cluster should use the same
--clusterAuthMode
setting to ensure it can securely connect to all
other components in the deployment.
For replica set deployments, this includes all mongod
members of the replica set.
For sharded cluster deployments, this includes all mongod
or mongos
instances.
Note
mongod
and mongos
bind to localhost by default. If the members of your deployment are
run on different hosts or if you wish remote clients to connect to
your deployment, you must specify --bind_ip
or
net.bindIp
.
Use Command-line Options (tls
)
Note
The procedures in this section use the tls
settings/option. For
procedures using the deprecated ssl
aliases, see
Use Command-line Options (ssl
).
The tls
settings/options provide identical functionality
as the ssl
options since MongoDB has always supported TLS 1.0
and later.
mongod --replSet <name> --tlsMode requireTLS --clusterAuthMode x509 --tlsClusterFile <path to membership certificate and key PEM file> --tlsCertificateKeyFile <path to TLS/SSL certificate and key file> --tlsCAFile <path to root CA file> --bind_ip localhost,<hostname(s)|ip address(es)>
Important
To use x.509 authentication, --tlsCAFile
or net.tls.CAFile
must be specified unless you are using --tlsCertificateSelector
or --net.tls.certificateSelector
.
Include any additional options, TLS/SSL or otherwise, that are required for your specific configuration. For
security: clusterAuthMode: x509 net: tls: mode: requireTLS certificateKeyFile: <path to its TLS/SSL certificate and key file> CAFile: <path to root CA PEM file to verify received certificate> clusterFile: <path to its certificate key file for membership authentication> bindIp: localhost,<hostname(s)|ip address(es)>
Important
To use x.509 authentication, --tlsCAFile
or net.tls.CAFile
must be specified unless you are using --tlsCertificateSelector
or --net.tls.certificateSelector
.
Include any additional options, TLS/SSL or otherwise, that are required for your specific configuration.
For more information, see Configure mongod
and mongos
for TLS/SSL.
Use Command-line Options (ssl
)
Note
The procedures in this section use the deprecated ssl
settings/option.
For procedures using their tls
aliases (available in MongoDB 4.2+),
see Use Command-line Options (tls
).
The tls
settings/options provide identical functionality
as the ssl
options since MongoDB has always supported TLS 1.0
and later.
To specify the x.509 certificate for internal cluster member
authentication, append the additional TLS/SSL options
--clusterAuthMode
and --sslClusterFile
, as in the
following example for a member of a replica set:
mongod --replSet <name> --sslMode requireSSL --clusterAuthMode x509 --sslClusterFile <path to membership certificate and key PEM file> --sslPEMKeyFile <path to TLS/SSL certificate and key PEM file> --sslCAFile <path to root CA PEM file> --bind_ip localhost,<hostname(s)|ip address(es)>
Important
To use x.509 authentication, --tlsCAFile
or net.tls.CAFile
must be specified unless you are using --tlsCertificateSelector
or --net.tls.certificateSelector
.
Include any additional options, TLS/SSL or otherwise, that are required for your specific configuration.
security: clusterAuthMode: x509 net: ssl: mode: requireSSL PEMKeyFile: <path to TLS/SSL certificate and key PEM file> CAFile: <path to root CA PEM file> clusterFile: <path to x.509 membership certificate and key PEM file> bindIp: localhost,<hostname(s)|ip address(es)>
Important
To use x.509 authentication, --tlsCAFile
or net.tls.CAFile
must be specified unless you are using --tlsCertificateSelector
or --net.tls.certificateSelector
.
Include any additional options, TLS/SSL or otherwise, that are required for your specific configuration.
For more information, see Configure mongod
and mongos
for TLS/SSL.
Additional Information
To upgrade from keyfile internal authentication to x.509 internal authentication, see Upgrade from Keyfile Authentication to x.509 Authentication.
To perform a rolling update of the certificates to new certificates
with different DN
, see
Rolling Update of x.509 Cluster Certificates that Contain New DN.