New in version 5.0.
Rotates the currently used TLS certificates for a
mongosto use the updated values for these certificates defined in the configuration file.
db.rotateCertificates()method takes the following optional argument:ParameterTypeDescription
messagestringoptional A message logged by the server to the log file and audit file.
db.rotateCertificates()method wraps the
db.rotateCertificates() method returns a document with
the following field:
Contains the command's execution status.
Rotation includes the following certificates:
CRL (Certificate Revocation List) files(on Linux and Windows platforms)
To rotate one or more of these certificates:
Replace the certificate or certificates you wish to rotate on the filesystem, noting the following constraints:
Each new certificate must have the same filename and same filepath as the certificate it is replacing.
If rotating an encrypted
TLS Certificate, its password must be the same as the password for the old certificate (as specified to the
certificateKeyFilePasswordconfiguration file setting). Certificate rotation does not support the interactive password prompt.
mongosinstance that you wish to perform certificate rotation on.
db.rotateCertificates()to rotate the certificates used by the
When certificate rotation takes place:
Existing connections to the
mongosinstance are not terminated, and will continue to use the old certificates.
Any new connections will use the new certificates.
If you have configured
OCSP for your
db.rotateCertificates() method will also fetch
stapled OCSP responses during rotation.
db.rotateCertificates() method may be run on a running
mongos regardless of replication
Only one instance of
rotateCertificates may run on each
mongos process at a time. Attempting to initiate a second
instance while one is already running will result in an error.
Incorrect, expired, revoked, or missing certificate files will cause the
certificate rotation to fail, but will not invalidate the existing
TLS configuration or terminate the running
mongos is running with
db.rotateCertificates() will fail and write
a warning message to the log file.
On successful rotation, the subject names, thumbprints, and the validity period of the server and cluster certificate thumbprints are logged to the configured log destination. If auditing is enabled, this information is also written to the audit log.
On Linux and Windows platforms, if a
CRL file is present, its thumbprint and validity period are
also logged to these locations.
You must have the
rotateCertificates action in order to use the
db.rotateCertificates() method. The
rotateCertificates action is part of the
The following operation rotates the certificates on a running
mongod instance, after having made the appropriate
updates to the configuration file to specify the updated certificate
The following performs the same as above, but also writes a custom log message at rotation time to the log file and audit file:
db.rotateCertificates("message": "Rotating certificates")