Use x.509 Certificates to Authenticate Clients使用x.509证书对客户端进行身份验证

~~On this page~~本页内容

~~Prerequisites~~先决条件
~~Procedure~~过程
~~Next Steps~~接下来的步骤

~~The following procedure sets up x.509 certificate authentication for client authentication on a standalone mongod instance.~~以下过程为独立mongod实例上的客户端身份验证设置x.509证书身份验证。

~~To use x.509 authentication for replica sets or sharded clusters, see Use x.509 Certificate for Membership Authentication.~~要对副本集或分片群集使用x.509身份验证，请参阅将x.509证书用于成员身份验证。

Prerequisites先决条件

~~A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, in particular x.509 certificates, and Certificate Authority is beyond the scope of this document.~~ TLS/SSL、PKI（公钥基础设施）证书，特别是x.509证书和证书颁发机构的完整描述超出了本文档的范围。~~This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates.~~本教程假定您具有TLS/SSL的先验知识，以及访问有效的x.509证书的权限。

Certificate Authority证书颁发机构

~~For production use, your MongoDB deployment should use valid certificates generated and signed by a certificate authority.~~ 对于生产使用，MongoDB部署应该使用由证书颁发机构生成并签名的有效证书。~~You or your organization can generate and maintain an independent certificate authority, or use certificates generated by third-party TLS vendors.~~ 您或您的组织可以生成和维护独立的证书颁发机构，或使用第三方TLS供应商生成的证书。~~Obtaining and managing certificates is beyond the scope of this documentation.~~获取和管理证书超出了本文档的范围。

~~To use x.509 authentication, --tlsCAFile or net.tls.CAFile must be specified unless you are using --tlsCertificateSelector or --net.tls.certificateSelector.~~要使用x.509身份验证，必须指定--tlsCAFile或net.tls.CAFile，除非您使用的是--tlsCertificateSelector或--net.tls.certificateSelecter。

Client x.509 Certificate客户端x.509证书

~~You must have valid x.509 certificates.~~ 您必须拥有有效的x.509证书。~~The client x.509 certificates must meet the client certificate requirements.~~客户端x.509证书必须满足客户端证书要求。

Starting in MongoDB 4.2, if you specify --tlsAllowInvalidateCertificates or net.tls.allowInvalidCertificates: true when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS connection but it is insufficient for authentication.从MongoDB 4.2开始，如果在使用x.509身份验证时指定--tlsAllowInvalidateCertificates或net.tls.allowInvalidCertificates:true，则无效证书仅足以建立TLS连接，但不足以进行身份验证。

Procedure过程

Deploy with x.509 Authentication使用x.509身份验证部署

~~You can configure a mongod instance for x.509 authentication from the command-line.~~您可以从命令行为x.509身份验证配置mongod实例。

~~To configure a standalone mongod instance, run the following command:~~要配置独立mongod实例，请运行以下命令：

mongod --tlsMode requireTLS \
    --tlsCertificateKeyFile <path to TLS/SSL certificate and key PEM file> \
    --tlsCAFile <path to root CA PEM file> --bind_ip <hostnames>

~~Include additional options as required for your configuration.~~包括配置所需的其他选项。

~~The x.509 configuration requires:~~x.509配置要求：

~~Option~~选项	~~Notes~~笔记
`--tlsMode`	~~Specify `requireTLS`.~~指定`requireTLS`。
`--tlsCertificateKeyFile`	~~Specify the instance's x.509 certificate to present to clients.~~指定要呈现给客户端的实例的x.509证书。
`--tlsCAFile`	~~Specify the Certificate Authority file to verify the certificates presented to the instance.~~指定证书颁发机构文件以验证提供给实例的证书。

~~You can configure a mongod for x.509 authentication in the configuration file.~~您可以在配置文件中为x.509身份验证配置mongod。

~~To configure a standalone mongod instance, add the following configuration options to your configuration file:~~要配置独立mongod实例，请将以下配置选项添加到配置文件中：

net:
   tls:
      mode: requireTLS
      certificateKeyFile: <path to TLS/SSL certificate and key PEM file>
      CAFile: <path to root CA PEM file>

~~Include additional options as required for your configuration.~~包括配置所需的其他选项。

~~The x.509 configuration requires:~~x.509配置要求：

~~Option~~选项	~~Notes~~笔记
`net.tls.mode`	Specify `requireTLS`.
`net.tls.certificateKeyFile`	~~Specify the instance's x.509 certificate to present to clients.~~指定要呈现给客户端的实例的x.509证书。
`net.tls.CAFile`	~~Specify the Certificate Authority file to verify the certificates presented to the instance.~~指定证书颁发机构文件以验证提供给实例的证书。

~~To set up x.509 authentication for replica sets or sharded clusters, see Use x.509 Certificate for Membership Authentication.~~要为副本集或分片群集设置x.509身份验证，请参阅使用x.509证书进行成员身份验证。

Add x.509 Certificate `subject` as a User将x.509证书`subject`添加为用户

~~To authenticate with a client certificate, you must first add the value of the subject from the client certificate as a MongoDB user to the $external database.~~ 要使用客户端证书进行身份验证，必须首先将客户端证书中的subject值作为MongoDB用户添加到$external数据库中。~~Each unique x.509 client certificate corresponds to a single MongoDB user.~~ 每个唯一的x.509客户端证书对应于一个MongoDB用户。~~You cannot use a single client certificate to authenticate more than one MongoDB user.~~不能使用单个客户端证书对多个MongoDB用户进行身份验证。

~~Note~~注意

~~Username Requirements~~用户名要求

~~To use Client Sessions and Causal Consistency Guarantees with $external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.~~要对$external身份验证用户（Kerberos、LDAP或x.509用户）使用客户端会话和因果一致性保证，用户名不能大于10k字节。
~~The RDNs in the subject string must be compatible with the RFC2253 standard.~~subject字符串中的RDN必须与RFC2253标准兼容。

~~You can retrieve the RFC2253 formatted subject from the client certificate with the following command:~~您可以使用以下命令从客户端证书中检索RFC2253格式的subject：
```
openssl x509 -in <pathToClientPEM> -inform PEM -subject -nameopt RFC2253
```
~~The command returns the subject string and the certificate:~~该命令返回subject字符串和证书：
```
subject= CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry
-----BEGIN CERTIFICATE-----
# ...
-----END CERTIFICATE-----
```
~~Add the RFC2253 compliant value of the subject as a user.~~ 将subject的符合RFC2253的值添加为用户。~~Omit spaces as needed.~~根据需要省略空格。

~~The following example adds a user and grants the user readWrite role in the test database and the userAdminAnyDatabase role:~~下面的示例添加一个用户，并在test数据库中授予用户readWrite角色和userAdminAnyDatabase角色：
```
db.getSiblingDB("$external").runCommand(
  {
    createUser: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry",
    roles: [
         { role: "readWrite", db: "test" },
         { role: "userAdminAnyDatabase", db: "admin" }
    ],
    writeConcern: { w: "majority" , wtimeout: 5000 }
  }
)
```
~~See Manage Users and Roles for details on adding a user with roles.~~有关添加具有角色的用户的详细信息，请参阅管理用户和角色。

Authenticate with a x.509 Certificate使用x.509证书进行身份验证

~~After you have added the x.509 client certificate subject as a corresponding MongoDB user, you can authenticate with the client certificate:~~将x.509客户端证书主题添加为相应的MongoDB用户后，可以使用客户端证书进行身份验证：

~~To authenticate during connection, run the following command:~~要在连接期间进行身份验证，请运行以下命令：

mongosh --tls --tlsCertificateKeyFile <path to client PEM file> \
    --tlsCAFile <path to root CA PEM file> \
    --authenticationDatabase '$external' \
    --authenticationMechanism MONGODB-X509

~~Option~~选项	~~Notes~~笔记
`--tls`
`--tlsCertificateKeyFile`	~~Specify the client's x.509 file.~~指定客户端的x.509文件。
`--tlsCAFile`	~~Specify the Certificate Authority file to verify the certificate presented by the `mongod` instance.~~指定证书颁发机构文件以验证`mongod`实例提供的证书。
`--authenticationDatabase`	~~Specify `'$external'`.~~指定`'$external'`。
`--authenticationMechanism`	~~Specify `MONGODB-X509`.~~指定`MONGODB-X509`。

~~You can connect without authentication and use the db.auth() method to authenticate after connection.~~您可以在没有身份验证的情况下进行连接，并在连接后使用db.auth()方法进行身份验证。

~~For example, if using mongosh,~~例如，如果使用mongosh，

~~Connect mongosh to the mongod:~~将mongosh连接到mongod：

mongosh --tls --tlsCertificateKeyFile <path to client PEM file> \
    --tlsCAFile <path to root CA PEM file>

~~Option~~选项	~~Notes~~笔记
`--tls`
`--tlsCertificateKeyFile`	~~Specify the client's x.509 file.~~指定客户端的x.509文件。
`--tlsCAFile`	~~Specify the Certificate Authority file to verify the certificate presented by the `mongod` or `mongos` instance.~~指定证书颁发机构文件以验证`mongod`或`mongos`实例提供的证书。

~~To authenticate, use the db.auth() method in the $external database.~~ 要进行身份验证，请使用$external数据库中的db.auth()方法。~~For the mechanism field, specify "MONGODB-X509".~~对于mechanism（机制）字段，指定"MONGODB-X509"。
```
db.getSiblingDB("$external").auth(
  {
    mechanism: "MONGODB-X509"
  }
)
```

Next Steps接下来的步骤

← x.509 Kerberos Authentication →