Use x.509 Certificate for Membership Authentication¶
MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. Sharded cluster members and replica set members can use x.509 certificates to verify their membership to the cluster or the replica set instead of using keyfiles. The membership authentication is an internal process.
Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
Enabling internal authentication also enables Role-Based Access Control. Clients must authenticate as a user in order to connect and perform operations in the deployment.
- See the Manage Users and Roles tutorial for instructions on adding users to the deployment.
- See the Use x.509 Certificates to Authenticate Clients tutorial for instructions on using x.509 certificates for user authentication.
A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, in particular x.509 certificates, and Certificate Authority is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates.
Member x.509 Certificate¶
You must have valid x.509 certificates.
Starting in MongoDB 4.0, if you specify
net.ssl.allowInvalidCertificates: true (or in MongoDB 4.2, the
net.tls.allowInvalidCertificates: true) when using x.509
authentication, an invalid certificate is only sufficient to
establish a TLS/SSL connection but is insufficient for
- A single Certificate Authority (CA) must issue all the x.509 certificates for the members of a sharded cluster or a replica set.
- The Distinguished Name (
DN), found in the member certificate's
subject, must specify a non-empty value for at least one of the following attributes: Organization (
O), the Organizational Unit (
OU) or the Domain Component (
The Organization attributes (