{"id":38825,"date":"2025-11-10T09:00:00","date_gmt":"2025-11-10T08:00:00","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=38825"},"modified":"2025-12-23T19:56:43","modified_gmt":"2025-12-23T18:56:43","slug":"setting-up-tls-encryption-and-authentication-in-mongodb","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/","title":{"rendered":"Setting up TLS encryption and authentication in MongoDB"},"content":{"rendered":"\n<p>When <strong>securing a MongoDB deployment<\/strong>, protecting sensitive data is paramount. MongoDB supports encryption <strong>throughout the lifecycle<\/strong> of the data, with three primary types of data encryption :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Encryption <strong>in transit<\/strong><\/li>\n\n\n\n<li>Encryption <strong>at rest<\/strong><\/li>\n\n\n\n<li>Encryption <strong>in use<\/strong><\/li>\n<\/ul>\n\n\n\n<p><br>Among these, <strong>encryption in transit<\/strong> is fundamental : it protects data as it moves between your application and the database. In MongoDB, this is achieved through <strong>TLS (Transport Layer Security)<\/strong>, which ensures that communication remains private and secure. You have two options when it comes to using TLS for your database :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using TLS for <strong>encryption<\/strong> only.<\/li>\n\n\n\n<li>Using TLS both for <strong>encryption<\/strong> and <strong>authentication<\/strong> to the database.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-setting-up-tls-for-encryption\">Setting up TLS for encryption<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-create-a-certificate-authority\">Create a Certificate Authority<\/h3>\n\n\n\n<p>We&#8217;ll first create a <strong>Certificate Authority<\/strong>. These certificates will be self-signed, which is fine for testing, but <strong>you shouldn&#8217;t use self-signed certificates in a production environment !<\/strong> On Linux, use the <code>openssl<\/code> library to generate the certificates.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -newkey rsa:4096 -nodes -x509 -days 365 -keyout ca.key -out ca.pem -subj \"\/C=CH\/ST=ZH\/L=Zurich\/O=dbi\/OU=MongoDBA\/CN=vm.domain.com\"<\/code><\/pre>\n\n\n\n<p>Here is a description of some important parameters of the commands :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>-newkey rsa:4096<\/code> : Generates a new private key and a certificate request using RSA with a 4096-bit key size.<\/li>\n\n\n\n<li><code>-nodes<\/code> : Skips password encryption of the private key. Without it, OpenSSL would prompt you to set a passphrase.<\/li>\n\n\n\n<li><code>-x509<\/code> : Generates a self-signed certificate. <code>x509<\/code> is supported by MongoDB.<\/li>\n\n\n\n<li><code>-days 365<\/code> : Validity of the certificate in days.<\/li>\n\n\n\n<li><code>-keyout ca.key<\/code> : Filename for the private key.<\/li>\n\n\n\n<li><code>-out ca.pem<\/code> : Filename for the certificate.<\/li>\n\n\n\n<li><code>-subj \"...\"<\/code> : Provides the subject&#8217;s Distinguished Name (DN). If you don&#8217;t specify it, OpenSSL will prompt for each field.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-create-a-server-certificate\">Create a Server Certificate<\/h3>\n\n\n\n<p>Then, we&#8217;ll create the server certificate for the MongoDB instance. In the <code>openssl-server.cnf<\/code> file below, you should change the <code>req_distinguished_name<\/code> fields with what you used while creating the Certificate Authority, and replace <code>vm.domain.com<\/code> by the name of your machine.<\/p>\n\n\n\n<p>If you only have an IP and no DNS entry for your VM, use <code>IP.1<\/code> instead of <code>DNS.1<\/code> in the <code>alt_names<\/code> section.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat &gt; openssl-server.cnf &lt;&lt;EOF\n&#091; req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\nprompt = no\n\n&#091; req_distinguished_name ]\nC = CH\nST = ZH\nL = Zurich\nO = dbi\nOU = MongoDBA\n<strong>CN = myVM\n<\/strong>\n&#091; v3_req ]\nkeyUsage = digitalSignature, keyEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = @alt_names\n\n&#091; alt_names ]\n<strong>DNS.1 = myVM\n<\/strong>EOF<\/code><\/pre>\n\n\n\n<p>Then, generates the certificate with these commands :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -newkey rsa:4096 -nodes -keyout mongodb-server.key -out mongodb-server.csr -config openssl-server.cnf\n\nopenssl x509 -req -in mongodb-server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out mongodb-server.crt -days 365 -extensions v3_req -extfile openssl-server.cnf\n\ncat mongodb-server.key mongodb-server.crt &gt; mongodb-server.pem<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-create-a-client-certificate\">Create a Client Certificate<\/h3>\n\n\n\n<p>Finally, we&#8217;ll create a client certificate. The process is the same, with a few tweaks :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>OU<\/code> should be different from the one from the server certificate. It is not mandatory for the communication, but it will be for the authentication if you decide to enable it.<\/li>\n\n\n\n<li><code>CN<\/code> should also be different.<\/li>\n\n\n\n<li><code>extendedKeyUsage<\/code> should be set with <code>clientAuth<\/code> instead of <code>serverAuth<\/code>.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cat &gt; openssl-client.cnf &lt;&lt;EOF\n&#091; req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\nprompt = no\n\n&#091; req_distinguished_name ]\nC = CH\nST = ZH\nL = Zurich\nO = dbi\n<strong>OU = MongoDBAClient\nCN = userApp\n<\/strong>\n&#091; v3_req ]\nkeyUsage = digitalSignature, keyEncipherment\n<strong>extendedKeyUsage = clientAuth\n<\/strong>EOF<\/code><\/pre>\n\n\n\n<p>The creation of the certificate is the same.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -newkey rsa:4096 -nodes -keyout mongodb-client.key -out mongodb-client.csr -config openssl-client.cnf\n\nopenssl x509 -req -in mongodb-client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out mongodb-client.crt -days 365 -extensions v3_req -extfile openssl-client.cnf\n\ncat mongodb-client.key mongodb-client.crt &gt; mongodb-client.pem<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-mongodb-configuration-change\">MongoDB Configuration Change<\/h3>\n\n\n\n<p>Make sure to set permissions correctly for your certificates.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 600 ca.pem mongodb-server.pem mongodb-client.pem\nchown mongod: ca.pem mongodb-server.pem mongodb-client.pem<\/code><\/pre>\n\n\n\n<p>Now, you can change your MongoDB configuration file to include the certificates. Simply add the <code>net.tls<\/code> part to your <code>mongod.conf<\/code> file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>net:\n  bindIp: yourIP\n  port: 27017\n  <strong>tls:\n    mode: requireTLS\n    certificateKeyFile: \/path\/to\/mongodb-server.pem\n    CAFile: \/path\/to\/ca.pem<\/strong><\/code><\/pre>\n\n\n\n<p>You can now restart your MongoDB instance with <code>systemctl restart mongod<\/code> (or whatever you&#8217;re using), and then try the connection to your instance for your client. Of course, the port mentioned in the <code>net.port<\/code> field of your configuration file shouldn&#8217;t be blocked by your firewall.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&gt; mongosh --host myVM --port 27017 --tls --tlsCertificateKeyFile mongodb-client.pem --tlsCAFile ca.pem\nCurrent Mongosh Log ID:\t682c9641bbe4593252ee7c8c\nConnecting to:\t\tmongodb:\/\/vmIP:27017\/?directConnection=true&amp;tls=true&amp;tlsCertificateKeyFile=Fclient.pem&amp;tlsCAFile=ca.pem&amp;appName=mongosh+2.5.1\nUsing MongoDB:\t\t8.0.9\nUsing Mongosh:\t\t2.5.1\n\nFor mongosh info see: https:\/\/www.mongodb.com\/docs\/mongodb-shell\/\n\ntest&gt;<\/code><\/pre>\n\n\n\n<p>You&#8217;re now connected to your MongoDB instance through TLS ! And if you&#8217;re not using the certificate, the <code>requireTLS<\/code> mode prevents the connection from being established, and generated these error messages in your logs :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\"t\":{\"$date\":\"2025-05-21T04:43:55.277+00:00\"},\"s\":\"I\",  \"c\":\"EXECUTOR\", \"id\":22988,   \"ctx\":\"conn52\",\"msg\":\"Error receiving request from client. Ending connection from remote\",\"attr\":{\"error\":{\"code\":141,\"codeName\":\"SSLHandshakeFailed\",\"errmsg\":\"<strong>The server is configured to only allow SSL connections<\/strong>\"},\"remote\":\"IP:50100\",\"connectionId\":52}}<\/code><\/pre>\n\n\n\n<p><em>If you want to learn more about MongoDB logs, I wrote a blog on this topic: <a href=\"https:\/\/www.dbi-services.com\/blog\/mongodb-log-analysis-a-comprehensive-guide\/\">MongoDB Log Analysis : A Comprehensive Guide<\/a>.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-setting-up-tls-authentication\">Setting up TLS authentication<\/h2>\n\n\n\n<p>Now that you&#8217;re connected, we will set up authentication so that you can be connected as a specific user to MongoDB. Using the already established connection, create a user in the <code>$external<\/code> database. Each client certificate that you create can be mapped to one MongoDB user. Retrieve the username that you will use :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&gt; openssl x509 -in mongodb-client.pem -inform PEM -subject -nameopt RFC2253 | grep subject\nsubject=<strong>CN=userApp,OU=MongoDBA,O=dbi,L=Zurich,ST=ZH,C=CH<\/strong><\/code><\/pre>\n\n\n\n<p>And then create the user in the <code>$external<\/code> database, using the existing MongoDB connection :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>test&gt; db.getSiblingDB(\"$external\").runCommand({\n  createUser: \"<strong>CN=userApp,OU=MongoDBA,O=dbi,L=Zurich,ST=ZH,C=CH<\/strong>\",\n  roles: &#091;\n    { role: \"userAdminAnyDatabase\", db: \"admin\" }\n  ]\n});<\/code><\/pre>\n\n\n\n<p>To check that everything works as intended, you can try to display collections in the <code>admin<\/code> database. For the moment, there is no error because you have all the rights to do it (no authorization is enforced).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>test&gt; use admin\nswitched to db admin\nadmin&gt; show collections;\nsystem.users\nsystem.version<\/code><\/pre>\n\n\n\n<p>You can now edit the MongoDB configuration file by adding the <code>net.tls.allowConnectionsWithoutCertificates<\/code> set to <code>true<\/code>, and the <code>security.authorization<\/code> flag set to <code>enabled<\/code>. The <code>mongod.conf<\/code> file should look like this :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>net:\n  bindIp: X.X.X.X\n  port: XXXXX\n  tls:\n    mode: requireTLS\n    certificateKeyFile: \/path\/to\/mongodb-server.pem\n    CAFile: \/path\/to\/ca.pem\n<strong>    allowConnectionsWithoutCertificates: false\n<\/strong>\n<strong>security:\n  authorization: enabled<\/strong><\/code><\/pre>\n\n\n\n<p>After restarting with <code>systemctl restart mongod<\/code>, you can now connect again. If you use the same command as before, you will log in without authentication, and get the error below whenever you try to do anything :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MongoServerError&#091;Unauthorized]: Command listCollections requires authentication<\/code><\/pre>\n\n\n\n<p>So you should now connect via this command :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mongosh --host vmIP --port 27017 --tls --tlsCertificateKeyFile mongodb-client.pem --tlsCAFile ca.pem --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509<\/code><\/pre>\n\n\n\n<p>If you want to show the <code>admin<\/code> collections, you will now get an error, because your user only has the <code>userAdminAnyDatabase<\/code> role granted (this role was chosen during the user creation, see above).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>admin&gt; show collections\nMongoServerError&#091;Unauthorized]: not authorized on admin to execute command { listCollections: 1, filter: {}, cursor: {}, nameOnly: true, authorizedCollections: false, lsid: { id: UUID(\"9c48b4c4-7702-49ce-a97c-52763b2ad6b3\") }, $db: \"admin\" }<\/code><\/pre>\n\n\n\n<p>But it&#8217;s fine, you can grant yourself more roles (<code>readWriteAnyDatabase<\/code>, for instance) and create new users if you want.<\/p>\n\n\n\n<p>The <strong>communication between the client and the server is now fully secured<\/strong>. Congratulations !<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-mongoservererror-badvalue\">MongoServerError[BadValue]<\/h4>\n\n\n\n<p><em>Side note<\/em> : if you ever encounter this error:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MongoServerError&#091;BadValue]: Cannot create an x.509 user with a subjectname that would be recognized as an internal cluster member<\/code><\/pre>\n\n\n\n<p>&#8230; make sure to follow the <a href=\"https:\/\/www.ietf.org\/rfc\/rfc2253.txt RFC-2253\">RFC-2253<\/a> standards. For instance, you could have this error if one of the field is too long. Also, as a reminder, the client certificate should have a different Distinguished Name (DN) than the server certificate (see <a href=\"https:\/\/www.mongodb.com\/docs\/manual\/core\/security-x.509\/\">documentation<\/a> for more information).<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When securing a MongoDB deployment, protecting sensitive data is paramount. MongoDB supports encryption throughout the lifecycle of the data, with three primary types of data encryption : Among these, encryption in transit is fundamental : it protects data as it moves between your application and the database. In MongoDB, this is achieved through TLS (Transport [&hellip;]<\/p>\n","protected":false},"author":152,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229,198,3788,1739,149],"tags":[995,3724,1228,447,3690,1153,2211,3725],"type_dbi":[],"class_list":["post-38825","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","category-database-management","category-mongodb","category-nosql","category-security","tag-authentication","tag-authenticationdatabase","tag-authorization","tag-encryption","tag-mongoservererror","tag-openssl","tag-tls","tag-tlscertificatekeyfile"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Setting up TLS encryption and authentication in MongoDB - dbi Blog<\/title>\n<meta name=\"description\" content=\"Guiding you through setting up TLS encryption and authentication in any recent version of MongoDB, to secure connections between your database and your application.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Setting up TLS encryption and authentication in MongoDB\" \/>\n<meta property=\"og:description\" content=\"Guiding you through setting up TLS encryption and authentication in any recent version of MongoDB, to secure connections between your database and your application.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-10T08:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-23T18:56:43+00:00\" \/>\n<meta name=\"author\" content=\"Julien Delattre\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Julien Delattre\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/setting-up-tls-encryption-and-authentication-in-mongodb\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/setting-up-tls-encryption-and-authentication-in-mongodb\\\/\"},\"author\":{\"name\":\"Julien Delattre\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/764ab019cc9dec42655b4c6b9b8e474e\"},\"headline\":\"Setting up TLS encryption and authentication in MongoDB\",\"datePublished\":\"2025-11-10T08:00:00+00:00\",\"dateModified\":\"2025-12-23T18:56:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/setting-up-tls-encryption-and-authentication-in-mongodb\\\/\"},\"wordCount\":794,\"commentCount\":0,\"keywords\":[\"Authentication\",\"authenticationdatabase\",\"Authorization\",\"encryption\",\"mongoservererror\",\"OpenSSL\",\"TLS\",\"tlscertificatekeyfile\"],\"articleSection\":[\"Database Administration &amp; Monitoring\",\"Database management\",\"MongoDB\",\"NoSQL\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/setting-up-tls-encryption-and-authentication-in-mongodb\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/setting-up-tls-encryption-and-authentication-in-mongodb\\\/\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/setting-up-tls-encryption-and-authentication-in-mongodb\\\/\",\"name\":\"Setting up TLS encryption and authentication in MongoDB - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\"},\"datePublished\":\"2025-11-10T08:00:00+00:00\",\"dateModified\":\"2025-12-23T18:56:43+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/764ab019cc9dec42655b4c6b9b8e474e\"},\"description\":\"Guiding you through setting up TLS encryption and authentication in any recent version of MongoDB, to secure connections between your database and your application.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/setting-up-tls-encryption-and-authentication-in-mongodb\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/setting-up-tls-encryption-and-authentication-in-mongodb\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/setting-up-tls-encryption-and-authentication-in-mongodb\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Setting up TLS encryption and authentication in MongoDB\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/764ab019cc9dec42655b4c6b9b8e474e\",\"name\":\"Julien Delattre\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a97d00e680bbf237126e24b65281cbcb66cd20bd1ed2d14bf928991b2bf68eb5?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a97d00e680bbf237126e24b65281cbcb66cd20bd1ed2d14bf928991b2bf68eb5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a97d00e680bbf237126e24b65281cbcb66cd20bd1ed2d14bf928991b2bf68eb5?s=96&d=mm&r=g\",\"caption\":\"Julien Delattre\"},\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/author\\\/juliendelattre\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Setting up TLS encryption and authentication in MongoDB - dbi Blog","description":"Guiding you through setting up TLS encryption and authentication in any recent version of MongoDB, to secure connections between your database and your application.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/","og_locale":"en_US","og_type":"article","og_title":"Setting up TLS encryption and authentication in MongoDB","og_description":"Guiding you through setting up TLS encryption and authentication in any recent version of MongoDB, to secure connections between your database and your application.","og_url":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/","og_site_name":"dbi Blog","article_published_time":"2025-11-10T08:00:00+00:00","article_modified_time":"2025-12-23T18:56:43+00:00","author":"Julien Delattre","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Julien Delattre","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/"},"author":{"name":"Julien Delattre","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/764ab019cc9dec42655b4c6b9b8e474e"},"headline":"Setting up TLS encryption and authentication in MongoDB","datePublished":"2025-11-10T08:00:00+00:00","dateModified":"2025-12-23T18:56:43+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/"},"wordCount":794,"commentCount":0,"keywords":["Authentication","authenticationdatabase","Authorization","encryption","mongoservererror","OpenSSL","TLS","tlscertificatekeyfile"],"articleSection":["Database Administration &amp; Monitoring","Database management","MongoDB","NoSQL","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/","url":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/","name":"Setting up TLS encryption and authentication in MongoDB - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2025-11-10T08:00:00+00:00","dateModified":"2025-12-23T18:56:43+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/764ab019cc9dec42655b4c6b9b8e474e"},"description":"Guiding you through setting up TLS encryption and authentication in any recent version of MongoDB, to secure connections between your database and your application.","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/setting-up-tls-encryption-and-authentication-in-mongodb\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Setting up TLS encryption and authentication in MongoDB"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/764ab019cc9dec42655b4c6b9b8e474e","name":"Julien Delattre","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/a97d00e680bbf237126e24b65281cbcb66cd20bd1ed2d14bf928991b2bf68eb5?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/a97d00e680bbf237126e24b65281cbcb66cd20bd1ed2d14bf928991b2bf68eb5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a97d00e680bbf237126e24b65281cbcb66cd20bd1ed2d14bf928991b2bf68eb5?s=96&d=mm&r=g","caption":"Julien Delattre"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/juliendelattre\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/38825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/152"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=38825"}],"version-history":[{"count":31,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/38825\/revisions"}],"predecessor-version":[{"id":41666,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/38825\/revisions\/41666"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=38825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=38825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=38825"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=38825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}