| Setting | Notes备注 |
|---|
|
Set to requireTLS.
This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify either the value allowTLS or preferTLS to set up the use of mixed TLS/SSL modes on a port. See net.tls.mode for details.
|
|
Set to the path of the file that contains the TLS/SSL certificate and key.
The mongod / mongos instance presents this file to its clients to establish the instance's identity.
|
For example, consider the following configuration file for a mongod instance:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
systemLog:
destination: file
path: "/var/log/mongodb/mongod.log"
logAppend: true
storage:
dbPath: "/var/lib/mongodb"
processManagement:
fork: true
net:
bindIp: localhost,mongodb0.example.net
port: 27017
Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.tls.certificateSelector instead of specifying the certificate key file.
| Setting | Notes备注 |
|---|
|
Set to requireTLS.
This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify either the value allowTLS or preferTLS to set up the use of mixed TLS/SSL modes on a port. See net.tls.mode for details.
|
|
Set to the property (either subject or thumbprint) and value.
This setting is used to select the certificate. See net.tls.certificateSelector for details.
|
For example, consider the following configuration file for a mongod instance:
net:
tls:
mode: requireTLS
certificateSelector: subject="<CertificateCommonName>"
systemLog:
destination: file
path: "/var/log/mongodb/mongod.log"
logAppend: true
storage:
dbPath: "/var/lib/mongodb"
processManagement:
fork: true
net:
bindIp: localhost,mongodb0.example.net
port: 27017
A mongod instance that uses the above configuration can only use TLS/SSL connections:
mongod --config <path/to/configuration/file>
That is, clients must specify TLS/SSL connections. See Connect to MongoDB Instances Using Encryption for more information on connecting with TLS/SSL.
Tip
See also: 另请参阅:
You can also configure mongod and mongos using command-line options instead of the configuration file:
Set Up mongod and mongos with Client Certificate Validation
The following section configures mongod / mongos to use TLS/SSL connections and perform client certificate validation. With these TLS/SSL settings:
mongod / mongos presents its certificate key file to the client for verification.mongod / mongos requires a certificate key file from the client to verify the client's identity.
To use TLS/SSL connections and perform client certificate validation, include the following TLS/SSL settings in your mongod / mongos instance's configuration file:
Note
Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.ssl.certificateSelector instead of specifying the certificate key file.
| Setting | Notes备注 |
|---|
net.tls.mode | Set to requireTLS.
This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify either the value allowTLS or preferTLS to set up the use of mixed TLS/SSL modes on a port. See net.tls.mode for details. |
net.tls.certificateKeyFile | Set to the path of the file that contains the TLS/SSL certificate and key.
The mongod / mongos instance presents this file to its clients to establish the instance's identity. |
net.tls.CAFile | Set to the path of the file that contains the certificate chain for verifying client certificates.
The mongod / mongos instance use this file to verify certificates presented by its clients. The certificate chain includes the certificate of the root Certificate Authority. |
For example, consider the following configuration file for a mongod instance:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
systemLog:
destination: file
path: "/var/log/mongodb/mongod.log"
logAppend: true
storage:
dbPath: "/var/lib/mongodb"
processManagement:
fork: true
net:
bindIp: localhost,mongodb0.example.net
port: 27017
A mongod instance that uses the above configuration can only use TLS/SSL connections and requires valid certificate from its clients:
mongod --config <path/to/configuration/file>
That is, clients must specify TLS/SSL connections and presents its certificate key file to the instance. See Connect to MongoDB Instances that Require Client Certificates for more information on connecting with TLS/SSL.
Tip
See also: 另请参阅:
You can also configure mongod and mongos using command-line options instead of the configuration file:
Block Revoked Certificates for Clients
To prevent clients with revoked certificates from connecting to the mongod or mongos instance, you can use:
-
- Online Certificate Status Protocol (OCSP)
-
Starting in version 4.4, to check for certificate revocation, MongoDB enables the use of OCSP (Online Certificate Status Protocol) by default as an alternative to specifying a CRL file or using the system SSL certificate store.
In versions 4.0 and 4.2, the use of OCSP is available only through the use of system certificate store on Windows or macOS.
-
- Certificate Revocation List (CRL)
-
To specify a CRL file, include net.tls.CRLFile set to a file that contains revoked certificates.
For example:例如:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
CRLFile: /etc/ssl/revokedCertificates.pem
Clients that present certificates that are listed in the /etc/ssl/revokedCertificates.pem will not be able to connect.
Tip
See also: 另请参阅:
You can also configure the revoked certificate list using the command-line option.
Validate Only if a Client Presents a Certificate
In most cases, it is important to ensure that clients present valid certificates. However, if you have clients that cannot present a client certificate or are transitioning to using a certificate, you may only want to validate certificates from clients that present a certificate.
To bypass client certificate validation for clients that do not present a certificate, include net.tls.allowConnectionsWithoutCertificates set to true.
For example:例如:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
allowConnectionsWithoutCertificates: true
A mongod / mongos running with these settings allows connection from:
- Clients that do not present a certificate.
- Clients that present a valid certificate.
Note
If the client presents a certificate, the certificate must be a valid certificate.
All connections, including those that have not presented certificates, are encrypted using TLS/SSL.
See TLS/SSL Configuration for Clients for more information on TLS/SSL connections for clients.
Tip
See also: 另请参阅:
You can also configure using the command-line options:
Disallow Protocols
To prevent MongoDB servers from accepting incoming connections that use specific protocols, include net.tls.disabledProtocols set to the disallowed protocols.
For example, the following configuration prevents mongod / mongos from accepting incoming connections that use either TLS1_0 or TLS1_1
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
disabledProtocols: TLS1_0,TLS1_1
Tip
See also: 另请参阅:
You can also configure using the command-line options:
TLS/SSL Certificate Passphrase
If the certificate key files for mongod / mongos are encrypted, include net.tls.certificateKeyFilePassword set to the passphrase.
Tip
Starting in MongoDB 4.2, to avoid specifying the passphrase in cleartext, you can use an expansion value in the configuration file.
Tip
See also: 另请参阅:
You can also configure using the command-line options:
Online Certificate Rotation
Starting in MongoDB 5.0, you can rotate the following certificate key files on-demand:
To rotate one or more of these certificates:
- Replace the certificate or certificates you wish to rotate on the filesystem, noting the following constraints:
- Each new certificate must have the same filename and same filepath as the certificate it is replacing.
- If rotating an encrypted
TLS Certificate, its password must be the same as the password for the old certificate (as specified to the certificateKeyFilePassword configuration file setting). Certificate rotation does not support the interactive password prompt.
- Connect
mongosh to the mongod or mongos instance that you wish to perform certificate rotation on.
- Run the
rotateCertificates command or the db.rotateCertificates() shell method to rotate the certificates used by the mongod or mongos instance.
When certificate rotation takes place:
- Existing connections to the
mongod or mongos instance are not terminated, and will continue to use the old certificates.
- Any new connections will use the new certificates.
Incorrect, expired, revoked, or missing certificate files will cause the certificate rotation to fail, but will not invalidate the existing TLS configuration or terminate the running mongod or mongos process.
Previous to MongoDB 5.0, certificate rotation required downtime, and was typically performed during maintenance windows.
See rotateCertificates or db.rotateCertificates() for additional considerations and full usage instructions.
Procedures (Using net.ssl Settings)
Note
Starting in version 4.2, MongoDB provides net.tls settings (and corresponding command-line options) that corresponds to the net.ssl settings (and their corresponding command-line options). The net.tls settings provide identical functionality as the net.ssl options since MongoDB has always supported TLS 1.0 and later.
The procedures in this section use the net.ssl settings. For procedures using the net.tls aliases, see Procedures (Using net.tls Settings).
Set Up mongod and mongos with TLS/SSL Certificate and Key
The following section configures mongod / mongos to use TLS/SSL connections. With these TLS/SSL settings, mongod / mongos presents its certificate key file to the client. However, the mongod / mongos does not require a certificate key file from the client to verify the client's identity. To require client's certificate key file, see Set Up mongod and mongos with Client Certificate Validation instead.
To use TLS/SSL connections, include the following TLS/SSL settings in your mongod / mongos instance's configuration file:
| Setting | Notes备注 |
|---|
|
Set to requireSSL.
This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify allowSSL or preferSSL to use mixed TLS/SSL modes. See net.ssl.mode for details.
|
|
Set to the .pem file that contains the TLS/SSL certificate and key.
The mongod / mongos instance presents this file to its clients to establish the instance's identity.
If the key is encrypted, specify the passphrase (net.ssl.PEMKeyPassword).
|
For example, consider the following configuration file for a mongod instance:
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
systemLog:
destination: file
path: "/var/log/mongodb/mongod.log"
logAppend: true
storage:
dbPath: "/var/lib/mongodb"
processManagement:
fork: true
net:
bindIp: localhost,mongodb0.example.net
port: 27017
Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.ssl.certificateSelector instead of specifying the certificate key file.
| Setting | Notes备注 |
|---|
|
Set to requireSSL.
This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify allowSSL or preferSSL to use mixed TLS/SSL modes. See net.ssl.mode for details.
|
|
Set to the property (either subject or thumbprint) and value.
This setting is used to select the certificate. See net.ssl.certificateSelector for details.
|
For example, consider the following configuration file for a mongod instance:
net:
ssl:
mode: requireSSL
certificateSelector: subject="<CertificateCommonName>"
systemLog:
destination: file
path: "/var/log/mongodb/mongod.log"
logAppend: true
storage:
dbPath: "/var/lib/mongodb"
processManagement:
fork: true
net:
bindIp: localhost,mongodb0.example.net
port: 27017
A mongod instance that uses the above configuration can only use TLS/SSL connections:
mongod --config <path/to/configuration/file>
That is, clients must specify TLS/SSL connections. See Connect to MongoDB Instances Using Encryption for more information on connecting with TLS/SSL.
Tip
See also: 另请参阅:
You can also configure mongod and mongos using command-line options instead of the configuration file:
Set Up mongod and mongos with Client Certificate Validation
The following section configures mongod / mongos to use TLS/SSL connections and perform client certificate validation. With these TLS/SSL settings:
mongod / mongos presents its certificate key file to the client for verification.mongod / mongos requires a certificate key file from the client to verify the client's identity.
To use TLS/SSL connections, include the following TLS/SSL settings in your mongod / mongos instance's configuration file:
Note
Starting in MongoDB 4.0, you can use system SSL certificate stores for Windows and macOS. To use the system SSL certificate store, specify net.ssl.certificateSelector instead of specifying the certificate key file.
| Setting | Notes备注 |
|---|
net.ssl.mode | Set to requireSSL.
This setting restricts each server to use only TLS/SSL encrypted connections. You can also specify allowSSL or preferSSL to use mixed TLS/SSL modes. See net.ssl.mode for details. |
net.ssl.PEMKeyFile | Set to the .pem file that contains the TLS/SSL certificate and key.
The mongod / mongos instance presents this file to its clients to establish the instance's identity.
If the key is encrypted, specify the passphrase (net.ssl.PEMKeyPassword). |
net.ssl.CAFile | Set to the path of the file that contains the certificate chain for verifying client certificates.
The mongod / mongos instance use this file to verify certificates presented by its clients. The certificate chain includes the certificate of the root Certificate Authority. |
For example, consider the following configuration file for a mongod instance:
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
systemLog:
destination: file
path: "/var/log/mongodb/mongod.log"
logAppend: true
storage:
dbPath: "/var/lib/mongodb"
processManagement:
fork: true
net:
bindIp: localhost,mongodb0.example.net
port: 27017
A mongod instance that uses the above configuration can only use TLS/SSL connections and requires valid certificate from its clients:
mongod --config <path/to/configuration/file>
That is, clients must specify TLS/SSL connections and present their certificate key file to the instance. See Connect to MongoDB Instances that Require Client Certificates for more information on connecting with TLS/SSL.
Tip
See also: 另请参阅:
You can also configure mongod and mongos using command-line options instead of the configuration file:
Block Revoked Certificates for Clients
To prevent clients with revoked certificates from connecting to the mongod or mongos instance, you can use:
-
- Online Certificate Status Protocol (OCSP)
-
Starting in version 4.4, to check for certificate revocation, MongoDB enables the use of OCSP (Online Certificate Status Protocol) by default as an alternative to specifying a CRL file or using the system SSL certificate store.
In versions 4.0 and 4.2, the use of OCSP is available only through the use of system certificate store on Windows or macOS.
-
- Certificate Revocation List (CRL)
-
To specify a CRL file, include net.ssl.CRLFile set to a file that contains revoked certificates.
For example:例如:
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
CRLFile: /etc/ssl/revokedCertificates.pem
Clients that present certificates that are listed in the /etc/ssl/revokedCertificates.pem will not be able to connect.
Tip
See also: 另请参阅:
You can also configure the revoked certificate list using the command-line option.
Validate Only if a Client Presents a Certificate
In most cases, it is important to ensure that clients present valid certificates. However, if you have clients that cannot present a client certificate or are transitioning to using a certificate, you may only want to validate certificates from clients that present a certificate.
To bypass client certificate validation for clients that do not present a certificate, include net.ssl.allowConnectionsWithoutCertificates set to true.
For example:例如:
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
allowConnectionsWithoutCertificates: true
A mongod / mongos running with these settings allows connection from:
- Clients that do not present a certificate.
- Clients that present a valid certificate.
Note
If the client presents a certificate, the certificate must be a valid certificate.
All connections, including those that have not presented certificates, are encrypted using TLS/SSL.
See TLS/SSL Configuration for Clients for more information on TLS/SSL connections for clients.
Tip
See also: 另请参阅:
You can also configure using the command-line options:
Disallow Protocols
To prevent MongoDB servers from accepting incoming connections that use specific protocols, include net.ssl.disabledProtocols set to the disallowed protocols.
For example, the following configuration prevents mongod / mongos from accepting incoming connections that use either TLS1_0 or TLS1_1
net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
disabledProtocols: TLS1_0,TLS1_1
Tip
See also: 另请参阅:
You can also configure using the command-line options:
TLS/SSL Certificate Passphrase
If the certificate key files for mongod / mongos are encrypted, include net.ssl.PEMKeyPassword set to the passphrase.
Tip
See also: 另请参阅:
You can also configure using the command-line options:
