/ /

Connect with X.509 Certificates

You can connect to your MongoDB Enterprise deployment or MongoDB Atlas cluster using X.509 certificate authentication with the MongoDB MCP server.

To learn more, see X.509.

Prerequisites

Complete one of the following procedures to set up X.509 authentication for your MongoDB deployment:

Note

If you need to configure your MongoDB instance to support TLS/SSL, see Configure MongoDB for TLS/SSL.

Configuration Options

To connect to a MongoDB deployment with X.509, configure the following options in your MCP server configuration:

CLI Option Name	OS Environment Variable Name	Type	Necessity	Description
`username`	`MDB_MCP_USERNAME`	string	Required	Set the username to the subject from your client certificate. The username must match the distinguished subject name of the certificate. If you omit this parameter, the MongoDB deployment infers the username from the X.509 certificate.
`authenticationDatabase`	`MDB_MCP_AUTHENTICATION_DATABASE`	string	Required	Set to `$external` for X.509 authentication.
`authenticationMechanism`	`MDB_MCP_AUTHENTICATION_MECHANISM`	string	Required	Set to `MONGODB-X509` to use X.509 client certificate authentication.
`tls`	`MDB_MCP_TLS`	boolean	Optional	Set to `true` to enable TLS for the connection when using X.509.
`tlsCertificateKeyFile`	`MDB_MCP_TLS_CERTIFICATE_KEY_FILE`	string	Optional	Specifies the .pem file that contains both the TLS / SSL certificate and key. Specify the file name of the .pem file using relative or absolute paths. Required when using `tls` to connect to a `mongod` or `mongos` instance that requires client certificates.
`tlsCertificateSelector`	`MDB_MCP_TLS_CERTIFICATE_SELECTOR`	string	Optional	Available on Windows and macOS as an alternative to `tlsCertificateKeyFile`. Specifies a certificate property in order to select a matching certificate from the operating system's certificate store. Accepts an argument of the format `<property>=<value>` where the property can be one of the following: `subject`, `thumbprint`. The options are mutually exclusive: you can only specify one of `tlsCertificateKeyFile` or `tlsCertificateSelector`.
`tlsCAFile`	`MDB_MCP_TLS_CA_FILE`	string	Optional	Specifies the .pem file that contains the root certificate chain from the Certificate Authority. This file is used to validate the certificate presented by the `mongod` / `mongos` instance. Specify the file name of the .pem file using relative or absolute paths.
`tlsCRLFile`	`MDB_MCP_TLS_CRL_FILE`	string	Optional	Specifies the .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths.
`tlsDisabledProtocols`	`MDB_MCP_TLS_DISABLED_PROTOCOLS`	string	Optional	Disables the specified TLS protocols. To enable a disabled protocol, specify `none`.
`tlsAllowInvalidHostnames`	`MDB_MCP_TLS_ALLOW_INVALID_HOSTNAMES`	boolean	Optional	Disables the validation of the hostnames in the certificate presented by the `mongod` / `mongos` instance. Allows connections even if the hostname in the server certificate does not match the server's host.
`tlsAllowInvalidCertificates`	`MDB_MCP_TLS_ALLOW_INVALID_CERTIFICATES`	boolean	Optional	Bypasses the validation checks for the certificates presented by the `mongod` / `mongos` instance and allows connections to servers that present invalid certificates.

Back

Kerberos

Proxy