X.509 certificates provide database users access to the clusters in their project. Note that Database users are different from Atlas users. Database users have access to MongoDB databases, while Atlas users have access to the Atlas application itself.
X.509 certificates can be of one of the following types:
Self-managed certificates. With self-managed certificates, you must provide a Certificate Authority (CA) and generate your own certificates for your database users. See Configure a Project to use a Public Key Infrastructure for more details on setting up self-managed certificates in your project.
Atlas-managed certificates. With Atlas-managed certificates, Atlas manages your CA as well and generates the certificates for your database users. You do not need to handle any additional CA configuration with Atlas-managed certificates.
Prerequisites
To self-manage your X.509 certificates, you must have a Public Key Infrastructure (PKI) to integrate with Atlas.
Configure a Project to use a Public Key Infrastructure
If you choose to work with self-managed X.509 certificates, you must configure your project to use a PKI you provide.
In Atlas, go to the Advanced page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Database & Network Access under the Security heading.
In the sidebar, click Advanced.
The Advanced page displays.
Provide a PEM-encoded Certificate Authority.
To save one customer-managed X.509 configuration for the project you specify using the Atlas CLI, run the following command:
atlas security customerCerts create [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas security customerCerts create.
You can provide a Certificate Authority (CA) using the Atlas UI by either:
Clicking Upload and selecting a
.pemfile from your filesystem and clicking Save.Copying the contents of a
.pemfile into the provided text area and clicking Save.
You can concatenate multiple CAs in the same .pem file or
in the text area. Users can authenticate with certificates
generated by any of the provided CAs.
When you upload a CA, a project-level alert is automatically created to send a notification 30 days before the CA expires, repeating every 24 hours. You can view and edit this alert from Atlas's Alert Settings page. For more information on configuring alerts, see Configure Alert Settings.
To edit your CA once uploaded, click the Self-Managed X.509 Authentication Settings icon.
Add a Database User using Self-Managed X.509 Authentication
In Atlas, go to the Database & Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Database & Network Access under the Security heading.
The Database & Network Access page displays.
Enter user information.
Field | Description | |
|---|---|---|
Common Name | The user's Common Name (CN) protected by the TLS/SSL certificate. For more information, see RFC 2253. For example, if your common name is "Jane Doe", your organization is "MongoDB", and your country is "US", insert the following into the Common Name field: | |
User Privileges | You can assign roles in one of the following ways:
For more information on the built-in Atlas privileges, see Roles and Privileges Overview. For more information on authorization, see Role-Based Access Control and Built-in Roles in the MongoDB manual. |