Overview
In this guide, you can learn how to use the TLS protocol to secure
your connection to a MongoDB deployment. To configure your connection to
use TLS, enable the TLS option and optionally provide your certificates for
validation in your application's config/database.php file.
Tip
To learn more about TLS, see the Wikipedia entry on Transport Layer Security.
Enable TLS
In your application's config/database.php file, you can enable TLS
on a connection to your MongoDB deployment in one of the following ways:
Setting the
tlsoption totruein your connection stringSetting the
tlsoption totruein theoptionsproperty of yourmongodbconnection entry
Select from the following Connection String and Connection Options tabs to see a corresponding code sample:
Note
If your connection string uses a DNS SRV record by including
the mongodb+srv prefix, TLS is enabled on your connection by
default.
Configure Certificates
To successfully initiate a TLS request, your application might need to present cryptographic certificates to prove its identity. Your application's certificates must be stored as PEM files to enable TLS when connecting.
Important
For production use, we recommend that your MongoDB deployment use valid certificates generated and signed by the same certificate authority. For testing, your deployment can use self-signed certificates.
The following list describes the components that your client can present to establish a TLS-enabled connection:
TLS Component | Description |
|---|---|
Certificate Authority (CA) | One or more certificate authorities to
trust when making a TLS connection. You can pass this file's path
to the |
Client Certificate | A digital certificate that allows the server to verify the identity
of your application to establish an encrypted network connection.
You can pass this file's path to the |
Certificate Key | The client certificate private key file. This key is often
included within the certificate file itself. If you must
provide this item, the certificate and key should be concatenated
in one file that you can pass to the |
Passphrase | The password to decrypt the private client key if it is
encrypted. You can pass this file's path to the
|
Reference Certificates
If required, you must reference your certificates when configuring your mongodb
connection so that the server can validate them before the client connects.
We recommend that you reference your certificates and set other TLS
options in the options property of your connection configuration
instead of in the connection string. This improves code readability in
your application.
Set the following options in the options property to reference your
certificates:
tlsCAFiletlsCertificateKeyFiletlsCertificateKeyFilePassword
Note
For testing purposes, you can set the following options to
true to disable validation:
tlsAllowInvalidCertificatestlsAllowInvalidHostnames
Or, you can set the tlsInsecure option to true to implicitly set
both of the preceding options.
Specifying these options in a production environment might make your application insecure. To learn more, see the Connection Options reference in the Server manual.
The following example configures a connection with TLS enabled:
'connections' => [ 'mongodb' => [ 'driver' => 'mongodb', 'dsn' => '<connection string>', 'database' => 'myDB', 'options' => [ 'tls' => true, 'tlsCAFile' => '<path to CA certificate>', 'tlsCertificateKeyFile' => '<path to private client certificate>', 'tlsCertificateKeyFilePassword' => '<path to client key passphrase>', ] ] ]
Additional Information
To learn more about setting URI options, see the MongoDB\\Driver\\Manager::__construct() API documentation.
To learn more about enabling TLS on a connection, see the following Server manual documentation: