Show/Hide Toolbars

MongoDB Notes

Navigation: MongoDB Authentication

Authentication with X.509 Certificates

Scroll Prev Top Next More

Mongo Authentication - Replica Set

Client Authentication


Internal Authentication


Operating System



In this procedure, you will configure a MongoDB replica set  with three members to use X.509 certificates for both client and internal authentication.  X.509 authentication is the most secure method available to the Community Edition of MongoDB.




A .PEM file for each client containing the private key and certificate for the client.

A .PEM file containing the private key and certificate for each server.  (One shared file for all servers can be used, but is not the best approach.)

The certificate for the certificate authority.

The subject of the client certificate.  In this example, the subject is:


DC=com,DC=waysysweb,C=US,ST=North Carolina,O=Waysys LLC,OU=MongoDBUser,CN=sadam


The replica set has been configured and a user with root role has been added.




1.Place the three certificate file on there relevant servers in directories named certs below the directory where you will be executing MongoDB commands.

2.Create three configuration files with the appropriate settings for X.509 authentication.   (See example below.)

3.Start each new member of the replica set with this command where conf1.yaml is the relevant configuration file:


mongod --auth -f conf1.yaml

mongod --auth -f conf2.yaml

mongod --auth -f conf2.yaml


4.Log into the first replica set with this command on the same server as the first replica set.:


mongo --port 31210 --host  --ssl --sslPEMKeyFile certs/client.pem --sslCAFile certs/ca.pem 


5.Authenticate with this commands:


use admin

db.auth('userAdmin', 'badges')


6.Create a user administrator:




    createUser: "DC=com,DC=waysysweb,C=US,ST=North Carolina,O=Waysys LLC,OU=MongoDBUser,CN=sadam",

    roles: [{role: 'userAdminAnyDatabase', db:'admin'}],



7.Authenticate with this command using the subject in the client certificate:


var user = {user: 'DC=com,DC=waysysweb,C=US,ST=North Carolina,O=Waysys LLC,OU=MongoDBUser,CN=sadam', 

  mechanism: 'MONGODB-X509'}



Example Configuration File



  destination: file

  path:  /home/vagrant/data/r0/mongodb.log


  dbPath: /home/vagrant/data/r0 


  fork: true


  clusterAuthMode: x509



  port: 31210


    mode: requireSSL

    CAFile: /home/vagrant/shared/certs/ca.pem

    PEMKeyFile: /home/vagrant/shared/certs/server.pem


   replSetName: repl




When setting the CAFile and PEMKeyFile values, be sure to use full paths, not relative paths.


Related Information


Creating Certificates for MongoDB

Determining the Subject of a Certificate

MongoDB considers X.509 certificates to be an external source.  Therefore, users authenticate against the $external database, not the admin database.

Setting Up a Replica Set and User