Database Manual / Reference / Database Commands / Administration

rotateCertificates (database command数据库命令)

Definition定义

New in version 5.0.在版本5.0中新增。

rotateCertificates
Rotates the currently used TLS certificates for a mongod or mongos to use the updated values for these certificates defined in the configuration file.旋转mongodmongos当前使用的TLS证书,以使用配置文件中定义的这些证书的更新值。

Compatibility兼容性

This command is available in deployments hosted in the following environments:此命令在以下环境中托管的部署中可用:

  • MongoDB Atlas: The fully managed service for MongoDB deployments in the cloud:云中MongoDB部署的完全托管服务

Note

This command is supported in all MongoDB Atlas clusters. 所有MongoDB Atlas集群都支持此命令。For information on Atlas support for all commands, see Unsupported Commands.有关Atlas支持所有命令的信息,请参阅不支持的命令

  • MongoDB Enterprise: The subscription-based, self-managed version of MongoDB:MongoDB的基于订阅的自我管理版本
  • MongoDB Community: The source-available, free-to-use, and self-managed version of MongoDB:MongoDB的源代码可用、免费使用和自我管理版本

Note

Atlas automatically rotates the certificates. You don't need to run the rotateCertificates command when using Atlas. Use the rotateCertificates command only if you want to rotate the certificates manually.Atlas会自动轮换证书。使用Atlas时,您不需要运行rotateCertificates命令。仅当您想手动旋转证书时,才使用rotateCertificates命令。

Syntax语法

The command has the following syntax:该命令具有以下语法:

db.runCommand(
   {
     rotateCertificates: 1,
     message: "<optional log message>"
   }
)

Command Fields命令字段

The command takes the following optional field:该命令接受以下可选字段:

Parameter参数Type类型Description描述
messagestring字符串optional A message logged by the server to the log file and audit file.可选。服务器记录到日志文件和审核文件中的消息。

Output输出

The rotateCertificates command returns a document with the following field:rotateCertificates命令返回一个包含以下字段的文档:

Field字段Type类型Description描述
okboolContains the command's execution status. true on success, or false if an error occurred. 包含命令的执行状态。成功时为true,发生错误时为falseIf false, an errmsg field is additionally provided with a detailed error message.如果为false,则会额外提供一个errmsg字段,其中包含详细的错误消息。

Behavior行为

Rotation includes the following certificates:轮换包括以下证书:

To rotate one or more of these certificates:要轮换其中一个或多个证书,请执行以下操作:

  1. Replace the certificate or certificates you wish to rotate on the filesystem, noting the following constraints:替换您希望在文件系统上轮换的一个或多个证书,注意以下限制:

    • Each new certificate must have the same filename and same filepath as the certificate it is replacing.每个新证书必须具有与其替换的证书相同的文件名文件路径
    • If rotating an encrypted TLS Certificate, its password must be the same as the password for the old certificate (as specified to the certificateKeyFilePassword configuration file setting). Certificate rotation does not support the interactive password prompt.
  2. Connect mongosh to the mongod or mongos instance that you wish to perform certificate rotation on.
  3. Run the rotateCertificates command to rotate the certificates used by the mongod or mongos instance.

When certificate rotation takes place:证书轮换时:

  • Existing connections to the mongod or mongos instance are not terminated, and will continue to use the old certificates.mongodmongos实例的现有连接不会终止,并将继续使用旧证书。
  • Any new connections will use the new certificates.任何新连接都将使用新证书。

If you have configured OCSP for your deployment, the rotateCertificates command will also fetch stapled OCSP responses during rotation.如果您已为部署配置了OCSP,则rotateCertificates命令还将在轮换期间获取装订好的OCSP响应。

The rotateCertificates command may be run on a running mongod or mongos regardless of replication status.

Only one instance of db.rotateCertificates() or rotateCertificates may run on each mongod or mongos process at a time. Attempting to initiate a second instance while one is already running will result in an error.

Incorrect, expired, revoked, or missing certificate files will cause the certificate rotation to fail, but will not invalidate the existing TLS configuration or terminate the running mongod or mongos process.不正确、过期、吊销或丢失的证书文件将导致证书轮换失败,但不会使现有的TLS配置无效或终止正在运行的mongodmongos进程。

If the mongod or mongos is running with --tlsCertificateSelector set to thumbprint, rotateCertificates will fail and write a warning message to the log file.如果mongodmongos在运行时将--tlsCertificateSelector设置为thumbprintrotateCertificates将失败并在日志文件中写入警告消息。

Logging日志记录

On successful rotation, the subject names, thumbprints, and the validity period of the server and cluster certificate thumbprints are logged to the configured log destination. 成功轮换后,主题名称、指纹以及服务器和群集证书指纹的有效期将记录到配置的日志目标中。If auditing is enabled, this information is also written to the audit log.如果启用了审核,此信息也会写入审核日志。

On Linux and Windows platforms, if a CRL file is present, its thumbprint and validity period are also logged to these locations.在Linux和Windows平台上,如果存在CRL file,其指纹和有效期也会记录到这些位置。

Required Access所需访问权限

You must have the rotateCertificates action in order to use the rotateCertificates command. 您必须执行rotateCertificates操作才能使用rotateCertificates命令。The rotateCertificates action is part of the hostManager role.rotateCertificates操作是hostManager角色的一部分。

Example示例

The following operation rotates the certificates on a running mongod instance, after having made the appropriate updates to the configuration file to specify the updated certificate information:在对配置文件进行了适当的更新以指定更新的证书信息后,以下操作将轮换正在运行的mongod实例上的证书:

db.adminCommand( { rotateCertificates: 1 } )

The following performs the same as above, but also writes a custom log message at rotation time to the log file and audit file:以下操作与上述操作相同,但也会在轮换时将自定义日志消息写入日志文件审核文件

db.adminCommand( { rotateCertificates: 1, message: "Rotating certificates" } )