rotateCertificates

~~On this page~~本页内容

~~Definition~~定义
~~Output~~输出
~~Behavior~~行为
~~Logging~~登录中
~~Required Access~~所需访问权限
~~Example~~示例

Definition定义

New in version 5.0.在版本5.0中新增。

rotateCertificates

~~Rotates the currently used TLS certificates for a mongod or mongos to use the updated values for these certificates defined in the configuration file.~~旋转mongod或mongos当前使用的TLS证书，以使用配置文件中定义的这些证书的更新值。

~~The command takes the following form:~~该命令采用以下形式：

{ rotateCertificates: 1,
  message: "<optional log message>" }

~~The rotateCertificates command takes the following optional argument:~~rotateCertificates命令采用以下可选参数：

~~Parameter~~参数	~~Type~~类型	~~Description~~描述
`message`	string	~~optional~~ 可选。~~A message logged by the server to the log file and audit file.~~ 服务器记录到日志文件和审核文件中的消息。

Output输出

~~The rotateCertificates command returns a document with the following field:~~rotateCertificates命令返回具有以下字段的文档：

~~Field~~字段	~~Type~~类型	~~Description~~描述
`ok`	bool	~~Contains the command's execution status.~~ 包含命令的执行状态。~~`true` on success, or `false` if an error occurred.~~ 成功时为`true`，如果发生错误则为`false`。~~If `false`, an `errmsg` field is additionally provided with a detailed error message.~~ 如果为`false`，则还会为`errmsg`字段提供详细的错误消息。

Behavior行为

~~Rotation includes the following certificates:~~轮换包括以下证书：

TLS Certificates
CRL (Certificate Revocation List) files~~(on Linux and Windows platforms)~~（在Linux和Windows平台上）
CA (Certificate Authority) files

~~To rotate one or more of these certificates:~~要轮换一个或多个证书，请执行以下操作：

~~Replace the certificate or certificates you wish to rotate on the filesystem, noting the following constraints:~~替换要在文件系统上旋转的一个或多个证书，注意以下限制：
- ~~Each new certificate must have the same filename and same filepath as the certificate it is replacing.~~每个新证书必须具有与其替换的证书相同的文件名和文件路径。
- ~~If rotating an encrypted TLS Certificate, its password must be the same as the password for the old certificate (as specified to the certificateKeyFilePassword configuration file setting).~~ 如果旋转加密的TLS Certificate，其密码必须与旧证书的密码相同（在certificateKeyFilePassword配置文件设置中指定）。~~Certificate rotation does not support the interactive password prompt.~~证书轮换不支持交互式密码提示。
~~Connect mongosh to the mongod or mongos instance that you wish to perform certificate rotation on.~~将mongosh连接到希望对其执行证书轮换的mongod或mongos实例。
~~Run the rotateCertificates command to rotate the certificates used by the the mongod or mongos instance.~~运行rotateCertificates命令来旋转mongod或mongos实例使用的证书。

~~When certificate rotation takes place:~~证书轮换发生时：

~~Existing connections to the mongod or mongos instance are not terminated, and will continue to use the old certificates.~~与mongod或mongos实例的现有连接不会终止，将继续使用旧证书。
~~Any new connections will use the new certificates.~~任何新连接都将使用新证书。

~~If you have configured OCSP for your deployment, the rotateCertificates command will also fetch stapled OCSP responses during rotation.~~如果您已经为部署配置了OCSP，rotateCertificates命令还将在轮换期间获取装订的OCSP响应。

~~The rotateCertificates command may be run on a running mongod or mongos regardless of replication status.~~无论复制状态如何，rotateCertificates命令都可以在正在运行的mongod或mongos上运行。

~~Only one instance of db.rotateCertificates() or rotateCertificates may run on each mongod or mongos process at a time.~~ 一次只能在每个mongod或mongos进程上运行db.rotateCertificates()或rotateCertificates的一个实例。~~Attempting to initiate a second instance while one is already running will result in an error.~~当一个实例已经运行时，尝试启动另一个实例将导致错误。

Incorrect, expired, revoked, or missing certificate files will cause the certificate rotation to fail, but will not invalidate the existing TLS configuration or terminate the running mongod or mongos process.不正确、过期、吊销或丢失的证书文件将导致证书轮换失败，但不会使现有TLS配置无效或终止正在运行的mongod或mongos进程。

~~If the mongod or mongos is running with --tlsCertificateSelector set to thumbprint, rotateCertificates will fail and write a warning message to the log file.~~如果mongod或mongos在--tlsCertificateSelector设置为thumbprint的情况下运行，rotateCertificates将失败，并将警告消息写入日志文件。

Logging登录中

~~On successful rotation, the subject names, thumbprints, and the validity period of the server and cluster certificate thumbprints are logged to the configured log destination.~~ 成功轮换后，主题名称、指纹以及服务器和群集证书指纹的有效期将记录到配置的日志目标中。~~If auditing is enabled, this information is also written to the audit log.~~如果启用了审核，则此信息也会写入审核日志。

~~On Linux and Windows platforms, if a CRL file is present, its thumbprint and validity period are also logged to these locations.~~在Linux和Windows平台上，如果存在CRL file，其指纹和有效期也会记录到这些位置。

~~Required Access~~所需访问权限

~~You must have the rotateCertificates action in order to use the rotateCertificates command.~~ 要使用rotateCertificates命令，必须执行rotateCertificates操作。~~The rotateCertificates action is part of the hostManager role.~~rotateCertificates操作是hostManager角色的一部分。

Example示例

~~The following operation rotates the certificates on a running mongod instance, after having made the appropriate updates to the configuration file to specify the updated certificate information:~~在对配置文件进行适当更新以指定更新后的证书信息后，以下操作将在正在运行的mongod实例上旋转证书：

db.adminCommand( { rotateCertificates: 1 } )

~~The following performs the same as above, but also writes a custom log message at rotation time to the log file and audit file:~~以下操作与上述操作相同，但也会在轮换时将自定义日志消息写入日志文件和审核文件：

db.adminCommand( { rotateCertificates: 1, message: "Rotating certificates" } )

← renameCollection setAuditConfig →