X.509

Overview

The MONGODB-X509 authentication mechanism uses Transport Level Security (TLS) with X.509 certificates to authenticate your user, which is identified by the relative distinguished names (RDNs) of your client certificate.

You can use X.509 to authenticate to MongoDB Atlas, MongoDB Enterprise Advanced, and MongoDB Community Edition.

Setup

When specifying this authentication mechanism, you must provide the following files:

• A certificate authority (CA) file, which contains one or more certificate authorities to trust when making a TLS connection. Before connecting to the server, the driver uses this file to verify that the server's certificate is from one of the specified certificate authorities.

• A certificate key file, which contains the client certificate and private key. The driver presents this file to the server to verify the client.

Example

To specify the MONGODB-X509 authentication mechanism, set the mechanism field of your Credential struct to AuthMechanism::MongoDbX509.

The following code shows how to reference your certificates in your connection string, specify the MONGODB-X509 authentication mechanism, and connect to MongoDB:

let uri = format!(
    "mongodb://<hostname>:<port>/?tlsCAFile={tlsCAFile}\
    &tlsCertificateKeyFile={tlsCertificateKeyFile}\
    &tlsCertificateKeyFilePassword={tlsCertificateKeyFilePassword}",
    tlsCAFile = "<path to CA certificate>",
    tlsCertificateKeyFile = "<path to private client key>",
    tlsCertificateKeyFilePassword = "<password for client key>"
);
let mut client_options = ClientOptions::parse(uri).await?;
let x509_cred = Credential::builder().mechanism(AuthMechanism::MongoDbX509).build();
client_options.credential = Some(x509_cred);
let client = Client::with_options(client_options)?;

Additional Information

To learn more about authenticating to MongoDB, see Authentication in the Server manual.

To learn more about managing users of your MongoDB deployment, see Users in the Server manual.