Self-managed X.509 certificates provide database users access to the
database deployments in your project. Database users are separate
from Atlas users. Database users have access to MongoDB databases,
while Atlas users have access to the Atlas application itself.
Considerations
If you enable LDAP authorization, you can't connect to your
database deployments with users that authenticate with an
Atlas-managed X.509 certificate.
After you enable LDAP authorization, you can connect to your
database deployments with users that authenticate with an
self-managed X.509 certificate. However, the user's Common Name
in their X.509 certificate must match the Distinguished Name of a user
who is authorized to access your database with LDAP.
You can have both users that authenticate with self-managed
certificates and users that authenticate with Atlas-managed X.509
certificates in the same database.
Prerequisites
To use self-managed X.509 certificates, you must have a Public Key
Infrastructure to integrate with MongoDB Atlas.
Configure a Project to use a Public Key Infrastructure
1
Turn on Self-Managed X.509 Authentication.
In the Security section of Atlas's left
navigation panel, click Advanced.
Toggle Self-Managed X.509 Authentication to
ON.
2
Provide a PEM-encoded Certificate Authority.
View or Modify Self-Managed X.509 Authentication Settings
Add a Database User using Self-Managed X.509 Authentication
1
Open the Add New Database User dialog.
In the Security section of the left navigation, click
Database Access. The Database Users tab
displays.
Click Add New Database User.
2
Select CERTIFICATE.
3
Enter user information.
Field
Description
Distinguished Name
The user's Common Name (CN) and optionally additional
Distinguished Name fields (RFC 4514) from the following
table:
Name
Description
Type
Size (in MB)
businesscategory
businessCategory attribute that describes the kinds of business
performed by an organization.
Common names of an object. If the object corresponds to a person, it is
typically the person's full name.
StringType
SIZE(1..64)
countryofcitizenship
RFC 3039CountryOfCitizenship
attribute that contains the identifier of at least one country of
citizenship. Accepts ISO 3166
codes only.
PrintableString
SIZE(2)
countryofresidence
RFC 3039CountryOfResidence
attribute that contains the value of at least one country. Accepts ISO 3166 codes only.
PrintableString
SIZE(2)
dateofbirth
RFC 3039DateOfBirth attribute,
which specifies the date of birth of the subject.
GeneralizedTime in this format: YYYYMMDD000000Z.
dc
domainComponent attribute type that contains a DNS domain name.
StringType
dn
dnQualifier attribute type that contains disambiguating information to add
to the relative distinguished name of an entry.
DirectoryString
SIZE(1..64)
e
Email address in Verisign certificates.
emailaddress
emailAddress (RSA PKCS#9
extension) attribute that specifies the electronic-mail address or addresses as
an unstructured ASCII string.
IA5String
gender
RFC 3039Gender attribute that
specifies the value of the gender of the subject. Accepts
M, F, m, or f.
PrintableString
SIZE(1)
generation
generationQualifier attribute type that contains name strings that
are typically the suffix part of a person's name.
DirectoryString
SIZE(1..64)
givenname
Name strings that are the part of a person's name that is not their surname.
DirectoryString
SIZE(1..64)
initials
Initials of some or all of an individual's names, except the surname(s).
DirectoryString
SIZE(1..64)
l
localityName attribute that contains names of a
locality or place, such as a city, county, or other geographic
region.
StringType
SIZE(1..64)
name
(id-at-name) Attribute supertype from which user attribute types with the
name syntax inherit.
DirectoryString
SIZE(1..64)
nameofbirth
ISIS-MTTNameAtBirth attribute that specifies the name of a person at his or her
birth.
DirectoryString
SIZE(1..64)
o
Name of an organization.
StringType
SIZE(1..64)
ou
Name of an organizational unit.
StringType
SIZE(1..64)
placeofbirth
RFC 3039PlaceOfBirth that
specifies the value of the place of birth.
DirectoryString
SIZE(1..128)
postaladdress
RFC 3039PostalAddress, which
includes the stateOrProvinceName and the localityName attribute types,
if present, to store address and geographical information.
Sequence
SIZE (1..6) OF DirectoryString(SIZE(1..30))
postalcode
postalCode attribute that specifies the code used by a Postal
Service to identify postal service zone.
DirectoryString
SIZE(1..40)
pseudonym
RFC 3039pseudonym
attribute that specifies a pseudonym, such as nicknames and names with
spelling other than defined by the registered name.
DirectoryString
SIZE(1..64)
serialnumber
Device serial number name.
StringType
SIZE(1..64)
sn
Device serial number name.
StringType
SIZE(1..64)
st
State, or province name.
StringType
SIZE(1..64)
street
Name of street.
StringType
SIZE(1..64)
surname
Naming attributes of type X520name.
DirectoryString
SIZE(1..64)
t
Title attribute, which contains the designated position or
function of the subject within an organization.
DirectoryString
SIZE(1..64)
telephonenumber
id-at-telephoneNumber, which is an internationally agreed-upon format
for international telephone numbers.
PrintableString
SIZE (1..32)
uid
LDAP User ID.
DirectoryString
uniqueidentifier
Unique identifier for an object.
DirectoryString
unstructuredaddress
PKCS#9 attribute that
specifies the address or addresses of a subject as an unstructured
directory string.
DirectoryString
unstructuredname
PKCS#9 attribute that
specifies the name or names of a subject as an unstructured ASCII string..
DirectoryString
SIZE(1..64)
For more information on Distinguished Name fields, see RFC 4514.
Example
CN=Jane Doe,O=MongoDB,C=US
User Privileges
You can assign roles in one of the following ways:
Select Only read any database which provides
the user with privileges to read any database.
Select Select Custom Role to select a custom
role previously created in Atlas. You can create custom
roles for database users in cases where the
built-in database user roles
cannot describe the desired set of
privileges. For more information on custom roles, see
Configure Custom Database Roles.
Click Add Default Privileges. When you
click this option, you can select
individual roles and specify the database on which the
roles apply. Optionally, for the read and readWrite
roles, you can also specify a collection. If you do not
specify a collection for read and readWrite, the
role applies to all non-system collections in the
database.
Note
The following table describes the Atlas specific privileges, the
database it applies to, and the privilege actions they represent.