Self-managed X.509 certificates provide database users access to the
database deployments in their project. Database users are separate from Atlas
users. Database users have access to MongoDB databases, while Atlas
users have access to the Atlas application itself.
In order to use self-managed X.509 certificates, you must have a
Public Key Infrastructure to integrate with MongoDB Atlas.
Configure a Project to use a Public Key Infrastructure
Turn on Self-Managed X.509 Authentication.
In the Security section of Atlas's left
navigation panel, click Advanced.
Toggle Self-Managed X.509 Authentication to
Provide a PEM-encoded Certificate Authority.
You can provide a Certificate Authority (CA) by:
Clicking Upload and selecting a .pem file from
Copying the contents of a .pem file into the provided text
You can concatenate multiple CAs in the same .pem file or in the
text area. Users can authenticate with certificates generated by any
of the provided CAs.
When you upload a CA, a project-level alert is
automatically created to send a notification 30 days before
the CA expires, repeating every 24 hours. You can view and
edit this alert from Atlas's Alert Settings page. For
more information on configuring alerts, see
Configure Alert Settings.
To edit your CA once uploaded, click the
Self-Managed X.509 Authentication Settings
Add a Database User using Self-Managed X.509 Authentication
Open the Add New Database User dialog.
In the Security section of the left navigation, click
Database Access. The Database Users tab
Click Add New Database User.
Enter user information.
The user's Common Name (CN) protected by the TLS/SSL
certificate. For more information, see
If your common name is "Jane Doe", your organization is
"MongoDB", and your country is "US", insert the following
into the Common Name field:
You can assign roles in one of the following ways:
Select Select Custom Role to select a custom
role previously created in Atlas. You can create custom
roles for database users in cases where the
built-in database user roles
cannot describe the desired set of
privileges. For more information on custom roles, see
Configure Custom Database Roles.
Click Add Default Privileges. When you
click this option, you can select
individual roles and specify the database on which the
roles apply. Optionally, for the read and readWrite
roles, you can also specify a collection. If you do not
specify a collection for read and readWrite, the
role applies to all non-system collections in the
When applied to a collection, the read and readWrite roles in
Atlas differ slightly from the
built-in MongoDB read and
In Atlas, read provides the following collection-level