db.rotateCertificates()

~~On this page~~本页内容

~~Definition~~定义
~~Output~~输出
~~Behavior~~行为
~~Logging~~登录中
~~Required Access~~所需访问权限
~~Example~~示例

Definition定义

New in version 5.0.在版本5.0中新增。

db.rotateCertificates(message)

~~Rotates the currently used TLS certificates for a mongod or mongos to use the updated values for these certificates defined in the configuration file.~~旋转mongod或mongos当前使用的TLS证书，以使用配置文件中定义的这些证书的更新值。

db.rotateCertificates(message)

~~The db.rotateCertificates() method takes the following optional argument:~~db.rotateCertificates()方法接受以下可选参数：

~~Parameter~~参数	~~Type~~类型	~~Description~~描述
`message`	string	~~optional~~可选。 ~~A message logged by the server to the log file and audit file.~~ 服务器记录到日志文件和审核文件中的消息。

~~The db.rotateCertificates() method wraps the rotateCertificates command.~~db.rotateCertificates()方法包装rotateCertificates命令。

Output输出

~~The db.rotateCertificates() method returns a document with the following field:~~db.rotateCertificates()方法返回具有以下字段的文档：

~~Field~~字段	~~Type~~类型	~~Description~~描述
`ok`	bool	~~Contains the command's execution status.~~ 包含命令的执行状态。~~`true` on success, or `false` if an error occurred.~~ 成功时为`true`，发生错误时为`false`。~~If `false`, an `errmsg` field is additionally provided with a detailed error message.~~ 如果为`false`，`errmsg`字段还将提供详细的错误消息。

Behavior行为

~~Rotation includes the following certificates:~~轮换包括以下证书：

TLS Certificates
CRL (Certificate Revocation List) files~~(on Linux and Windows platforms)~~（在Linux和Windows平台上）
CA (Certificate Authority) files

~~To rotate one or more of these certificates:~~要轮换一个或多个证书：

~~Replace the certificate or certificates you wish to rotate on the filesystem, noting the following constraints:~~替换要在文件系统上轮换的一个或多个证书，注意以下约束：
- ~~Each new certificate must have the same filename and same filepath as the certificate it is replacing.~~每个新证书必须具有与其替换的证书相同的文件名和文件路径。
- ~~If rotating an encrypted TLS Certificate, its password must be the same as the password for the old certificate (as specified to the certificateKeyFilePassword configuration file setting).~~ 如果旋转加密的TLS证书，其密码必须与旧证书的密码相同（如certificateKeyFilePassword配置文件设置中指定的）。~~Certificate rotation does not support the interactive password prompt.~~证书轮换不支持交互式密码提示。
~~Connect mongosh to the mongod or mongos instance that you wish to perform certificate rotation on.~~将mongosh连接到您希望对其执行证书轮换的mongod或mongos实例。
~~Run db.rotateCertificates() to rotate the certificates used by the the mongod or mongos instance.~~运行db.rotateCertificates()来轮换mongod或mongos实例使用的证书。

~~When certificate rotation takes place:~~证书轮换发生时：

~~Existing connections to the mongod or mongos instance are not terminated, and will continue to use the old certificates.~~到mongod或mongos实例的现有连接不会终止，将继续使用旧证书。
~~Any new connections will use the new certificates.~~任何新连接都将使用新证书。

~~If you have configured OCSP for your deployment, the db.rotateCertificates() method will also fetch stapled OCSP responses during rotation.~~如果您已经为部署配置了OCSP，那么db.rotateCertificates()>方法还将在轮换期间获取装订的OCSP响应。

~~The db.rotateCertificates() method may be run on a running mongod or mongos regardless of replication status.~~无论复制状态如何，db.rotateCertificates()方法都可以在正在运行的mongod或mongos上运行。

~~Only one instance of db.rotateCertificates() or rotateCertificates may run on each mongod or mongos process at a time.~~ 每次只能在每个mongod或mongos进程上运行db.rotateCertificates()或rotateCertificates的一个实例。~~Attempting to initiate a second instance while one is already running will result in an error.~~尝试在第二个实例已经运行时启动该实例将导致错误。

Incorrect, expired, revoked, or missing certificate files will cause the certificate rotation to fail, but will not invalidate the existing TLS configuration or terminate the running mongod or mongos process.不正确、过期、吊销或丢失的证书文件将导致证书轮换失败，但不会使现有TLS配置无效或终止正在运行的mongod或mongos进程。

~~If the mongod or mongos is running with --tlsCertificateSelector set to thumbprint, db.rotateCertificates() will fail and write a warning message to the log file.~~如果mongod或mongos在--tlsCertificateSelector设置为thumbprint的情况下运行，dbrotateCertificates()将失败，并将警告消息写入日志文件。

Logging登录中

~~On successful rotation, the subject names, thumbprints, and the validity period of the server and cluster certificate thumbprints are logged to the configured log destination.~~ 成功轮换后，服务器和群集证书指纹的使用者名称、指纹以及有效期将记录到配置的日志目标中。~~If auditing is enabled, this information is also written to the audit log.~~如果启用了审核，则此信息也会写入审核日志。

~~On Linux and Windows platforms, if a CRL file is present, its thumbprint and validity period are also logged to these locations.~~在Linux和Windows平台上，如果存在CRL file，其指纹和有效期也会记录到这些位置。

Required Access所需访问权限

~~You must have the rotateCertificates action in order to use the db.rotateCertificates() method.~~ 必须具有rotateCertificates操作才能使用db.rotateCertificates()方法。~~The rotateCertificates action is part of the hostManager role.~~rotateCertificates操作是hostManager角色的一部分。

Example示例

~~The following operation rotates the certificates on a running mongod instance, after having made the appropriate updates to the configuration file to specify the updated certificate information:~~在对配置文件进行适当更新以指定更新的证书信息之后，以下操作将在运行的mongod实例上轮换证书：

db.rotateCertificates()

~~The following performs the same as above, but also writes a custom log message at rotation time to the log file and audit file:~~以下操作与上述操作相同，但也会在轮换时将自定义日志消息写入日志文件和审核文件：

db.rotateCertificates("message": "Rotating certificates")

← db.resetError()db.runCommand() →