Mutual TLS authentication configuration using self signed certificate on MongoDB 6.0

I have a question about TLS configuration on MongoDB 6.0, I have a self signed certificate:

mongodb.pem, includes private key and public key
mongodb.crt, includes only public key.

I also have a key store in application (client), which also use the same public key and private key and I want to setup mutual TLS authentication between the client and mongodb server,

In MongoDB 4.2.3, I can start mongodb in below command:

mongod --bind_ip_all --dbpath C:\data\mongodb --wiredTigerCacheSizeGB 1 --tlsMode requireTLS --tlsCertificateKeyFile .\mongodb.pem --tlsCAFile .\mongodb.crt --auth

But in MongoDB 6.0, the above command will cause an error when start:

{"t":{"$date":"2023-10-17T10:54:42.999+08:00"},"s":"I",  "c":"NETWORK",  "id":4915701, "ctx":"-","msg":"Initialized wire specification","attr":{"spec":{"incomingExternalClient":{"minWireVersion":0,"maxWireVersion":17},"incomingInternalClient":{"minWireVersion":0,"maxWireVersion":17},"outgoing":{"minWireVersion":6,"maxWireVersion":17},"isInternalClient":true}}}
{"t":{"$date":"2023-10-17T10:54:43.154+08:00"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"thread1","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"CertAddCertificateContextToStore Failed  The object or property already exists."}}}

But, if I remove the --tlsCAFile option, all things looks great:

mongod --bind_ip_all --dbpath C:\data\mongodb --wiredTigerCacheSizeGB 1 --tlsMode requireTLS --tlsCertificateKeyFile .\mongodb.pem  --auth

Is this a limitation of using self signed certificate in MongoDB 6.0? Or we should not / no need to specify the tlsCAFile when using self signed certificate?


I have the same problem and there is almost no information on this topic anywhere … more specifically, the error “CertAddCertificateContextToStore Failed The object or property already exists.” when you use self-signed certificate