How to Enable TLS/SSL on MongoDB

Learn how use TLS/SSL in-flight encryption to authenticate and encrypt connections between your MongoDB server and apps.

These instructions assume that you have already installed a build of MongoDB that includes TLS support and that your client driver supports TLS. Please read this guide for instructions on how to upgrade to a TLS-enabled MongoDB version.

About certificate Authorities

Your production MongoDB deployments should always use valid certificates generated by a certificate authority. You can get a free, full-fledged TLS certificate for your server signed by Let’s Encrypt using EFF’s Certbot tool.

Self-signed certificates encrypt communications, but provide no validation of server identity. Although they prevent eavesdropping, they leave you vulnerable to man-in-the-middle attacks. Only certificates signed by a trusted certificate authority will allow MongoDB drivers to verify the server’s identity. In general, avoid using self-signed certificates.

Enabling TLS on a “MongoDB as a service” cloud provider

• Compose: How to Enable TLS/SSL on Compose MongoDB.
• Mlab: How to Enable TLS/SSL on Mlab MongoDB.
• Atlas: How to Enable TLS/SSL on Atlas MongoDB.

Enabling TLS on a self-hosted or self-managed MongoDB server

Open /etc/mongod.conf with your favorite code editor and make sure it contains the following lines:

net:
  ssl:
    mode: requireSSL
    PEMKeyFile: <route-to-cert-file>
    CAFile: <route-to-ca-file>

If you can’t find mongod.conf or it is named mongodb.conf instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.)

Please replace <route-to-cert-file> with the route of the .pem file that contains the signed SSL certificate and key., e.g.: /etc/ssl/mongodb.pem .

Also replace <route-to-ca-file> with the route of the .pem file that contains the root certificate chain from the Certificate Authority, e.g.: /etc/ssl/ca.pem .

Now you are ready to save the configuration file and restart mongod:

$ sudo service mongodb restart
[ ok ] Restarting database: mongod.

IMPORTANT: Please keep reading this guide in order to know how to configure TLS in mongo client and the official drivers.

Using TLS with the mongo shell

Remember that from now on, to connect to your MongoDB server using the mongo client, you will need to specify some additional flags:

$ mongo --ssl --sslCAFile /etc/ssl/ca.pem --sslPEMKeyFile /etc/ssl/client.pem --host host.example.com

• --ssl enables TLS channel encryption.
• --sslPEMKeyFile is the path to the client certificate — which needs to be signed by the server certificate.
• --sslCAFile is the path to the root certificate of the Certification Authority (CA) that signed the server certificate. From MongoDB 3.2.6, this parameter is optional, and if not specified, the client will check the certificate against the system CA store.
• --host (optional) verifies that the hostname of the server matches the one in the certificate it presents.

Using TLS with MongoDB offical drivers

Please take into account that enforcing TLS means that all connections to the server need to present a valid client certificate. This also includes connections made from MongoDB official drivers.

Here you have further instructions on how to enable TLS on the different MongoDB official drivers:

• C Driver
• C++ Driver
• C# Driver
• Java Driver
• Node.js Driver
• Perl Driver
• PHP Driver
• Python Driver
• Ruby Driver
• Scala Driver