Set up Self-Managed X.509 Authentication¶
On this page
Self-managed X.509 certificates provide database users access to the database deployments in your project. Database users are separate from Atlas users. Database users have access to MongoDB databases, while Atlas users have access to the Atlas application itself.
Considerations¶
If you enable LDAP authorization, you can't connect to your database deployments with users that authenticate with an Atlas-managed X.509 certificate.
After you enable LDAP authorization, you can connect to your database deployments with users that authenticate with an self-managed X.509 certificate. However, the user's Common Name in their X.509 certificate must match the Distinguished Name of a user who is authorized to access your database with LDAP.
Prerequisites¶
In order to use self-managed X.509 certificates, you must have a Public Key Infrastructure to integrate with MongoDB Atlas.
Configure a Project to use a Public Key Infrastructure¶
Turn on Self-Managed X.509 Authentication.¶
- In the Security section of Atlas's left navigation panel, click Advanced.
- Toggle Self-Managed X.509 Authentication to ON.
Provide a PEM-encoded Certificate Authority.¶
You can provide a Certificate Authority (CA) by:
- Clicking Upload and selecting a
.pem
file from your filesystem. - Copying the contents of a
.pem
file into the provided text area.
You can concatenate multiple CAs in the same .pem
file or in the
text area. Users can authenticate with certificates generated by any
of the provided CAs.
When you upload a CA, a project-level alert is automatically created to send a notification 30 days before the CA expires, repeating every 24 hours. You can view and edit this alert from Atlas's Alert Settings page. For more information on configuring alerts, see Configure Alert Settings.
Click Save.¶
To edit your CA once uploaded, click the Self-Managed X.509 Authentication Settings icon.
Add a Database User using Self-Managed X.509 Authentication¶
Open the Add New Database User dialog.¶
- In the Security section of the left navigation, click Database Access. The Database Users tab displays.
- Click Add New Database User.
Select CERTIFICATE.¶
Enter user information.¶
Field | Description |
---|---|
Distinguished Name | The user's Common Name (CN) and optionally additional Distinguished Name fields. For more information, see RFC 2253. Example CN=Jane Doe,O=MongoDB,C=US |
User Privileges | You can assign roles in one of the following ways:
For information on the built-in Atlas privileges, see Database User Privileges. For more information on authorization, see Role-Based Access Control and Built-in Roles in the MongoDB manual. |