# 用x.509证书来认证客户端 ## Use x.509 Certificates to Authenticate Clients ## 用x.509证书来认证客户端 On this page * [Prerequisites](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#prerequisites) * [Procedures](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#procedures) 此页面 * [预备知识](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#prerequisites) * [流程](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#procedures) NOTE Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see [Disable TLS 1.0](https://docs.mongodb.com/v4.2/release-notes/4.0/#disable-tls). MongoDB supports x.509 certificate authentication for use with a secure [TLS/SSL connection](https://docs.mongodb.com/v4.2/tutorial/configure-ssl/). The x.509 client authentication allows [clients to authenticate to servers with certificates](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#x509-client-authentication) rather than with a username and password. The following tutorial outlines the steps to use x.509 for client authentication with a standalone [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) instance. To use x.509 authentication for replica sets or sharded clusters, see [Use x.509 Certificate for Membership Authentication](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/). > 注意 从4.0版本开始,MongoDB不在支持TLS1.0加密,而TLS 1.1+可用,更多细节,请参见 [禁用TLS 1.0](https://docs.mongodb.com/v4.2/release-notes/4.0/#disable-tls) 。 MongoDB支持使用安全的 [TLS/SSL连接](https://docs.mongodb.com/v4.2/tutorial/configure-ssl/) 进行x.509证书身份验证。x.509客户端身份验证允许 [客户端使用证书认证服务](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#x509-client-authentication) ,而不是使用用户名和密码。下面的教程逐步展示了x.509客户端认证步骤,使用单 [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) 实例。 使用x.509认证复制集及分片集群,详细见 [使用x.509证书对成员身份验证](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/) ### Prerequisites IMPORTANT A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, in particular x.509 certificates, and Certificate Authority is beyond the scope of this document. This tutorial assumes prior knowledge of TLS/SSL as well as access to valid x.509 certificates. ### 规程 > 重要 对TLS/SSL、PKI(公钥基础设施)证书,特别是x.509证书和凭证管理中心完整描述超出了本文档的范围。本教程假设您已经了解TLS/SSL,并且能够使用有效的x.509证书。 #### Certificate Authority For production use, your MongoDB deployment should use valid certificates generated and signed by a single certificate authority. You or your organization can generate and maintain an independent certificate authority, or use certificates generated by a third-party TLS/SSL vendor. Obtaining and managing certificates is beyond the scope of this documentation. IMPORTANT To use x.509 authentication, `--tlsCAFile` or `net.tls.CAFile` must be specified unless using `--tlsCertificateSelector` or `--net.tls.certificateSelector`. Or if using the `ssl` aliases, `--sslCAFile` or `net.ssl.CAFile` must be specified unless using `--sslCertificateSelector` or `net.ssl.certificateSelector`. #### 凭证管理中心 对于生产环境,您部署的MongoDB应该使用由单个证书颁发机构生成并签名的有效证书。您或者您的组织可以生成和维护一个独立的证书授权,或使用由第三方TLS/SSL供应商生成的证书。获取和管理证书超出了本文档的范围。 > 重要 要使用x.509身份验证,`--tlsCAFile`或`net.tls.CAFile` 必须指定, 除非使用`--tlsCertificateSelector` 或`--net.tls.certificateSelector`。或者如果使用`ssl` 别名,`--sslCAFile` 或`net.ssl.CAFile`必须指定,除非使用`--sslCertificateSelector` 或`net.ssl.certificateSelector`。 #### Client x.509 Certificate NOTE You must have valid x.509 certificates. Starting in MongoDB 4.0, if you specify `--sslAllowInvalidCertificates` or `net.ssl.allowInvalidCertificates: true` (or in MongoDB 4.2, the alias `--tlsAllowInvalidateCertificates` or `net.tls.allowInvalidCertificates: true`) when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS/SSL connection but is *insufficient* for authentication. The client certificate must have the following properties: * A single Certificate Authority (CA) must issue the certificates for both the client and the server. * Client certificates must contain the following fields: ``` keyUsage = digitalSignature extendedKeyUsage = clientAuth ``` * Each unique MongoDB user must have a unique certificate. * A client x.509 certificate’s subject, which contains the Distinguished Name (`DN`), must **differ** from that of a [Member x.509 Certificate](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/#x509-member-certificate). At least one of the Organization (`O`), Organizational Unit (`OU`), or Domain Component (`DC`) attributes in the client certificate must differ from those in the [`net.tls.clusterFile`](https://docs.mongodb.com/v4.2/reference/configuration-options/#net.tls.clusterFile) and [`net.tls.certificateKeyFile`](https://docs.mongodb.com/v4.2/reference/configuration-options/#net.tls.certificateKeyFile) server certificates. If the MongoDB deployment has [`tlsX509ClusterAuthDNOverride`](https://docs.mongodb.com/v4.2/reference/parameters/#param.tlsX509ClusterAuthDNOverride) set (available starting in MongoDB 4.2), the client x.509 certificate’s subject must also differ from that value. WARNING If a client x.509 certificate’s subject has the same `O`, `OU`, and `DC` combination as the [Member x.509 Certificate](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/#x509-member-certificate) (or [`tlsX509ClusterAuthDNOverride`](https://docs.mongodb.com/v4.2/reference/parameters/#param.tlsX509ClusterAuthDNOverride) if set), the client connection is rejected. Only [cluster member x509 certificates](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/#x509-member-certificate) should use the same `O`, `OU`, and `DC` combinations as this grants full permissions. #### 客户端x.509证书 > 请注意 您必须拥有有效的x.509证书。 从MongoDB 4.0开始,如果你指定`--sslAllowInvalidCertificates`或`net.ssl.allowInvalidCertificates: true` (或在MongoDB 4.2中,使用别名的方式,`--tlsAllowInvalidateCertificates` 或者 `net.tls.allowInvalidCertificates: true`)。当使用x.509身份验证时,一个无效的证书只足以建立一个TLS/SSL连接,但对于身份验证是\_不足\_的。 客户端证书必须具有以下属性: * 单个证书颁发机构(CA)必须同时为客户端和服务器颁发证书。 * 客户端证书必须包含以下字段: ``` keyUsage = digitalSignature extendedKeyUsage = clientAuth ``` * 每个唯一的MongoDB用户必须有一个唯一的证书。 * 客户端x.509证书的主题(subject),包含专有名称(`DN`)。必须**不同**与[成员x.509证书](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/#x509-member-certificate) 的主题(subject)。 至少有一个组织(`O`),组织单元(`OU`),或域组件 (`DC`) 属性,在客户端证书必须与那些 [`net.tls.clusterFile`](https://docs.mongodb.com/v4.2/reference/configuration-options/#net.tls.clusterFile) 和 [`net.tls.certificateKeyFile`](https://docs.mongodb.com/v4.2/reference/configuration-options/#net.tls.certificateKeyFile) 服务器证书不同。 如果部署的MongoDB有 [`tlsX509ClusterAuthDNOverride`](https://docs.mongodb.com/v4.2/reference/parameters/#param.tlsX509ClusterAuthDNOverride) 设置(在MongoDB 4.2版本中可用),那么客户端x.509证书的主题也必须与该值不同。 > 警告 如果客户端证书的主题有相同的`O`, `OU`, 和`DC` 组合为 [成员x.509证书](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/#x509-member-certificate) (或 [`tlsX509ClusterAuthDNOverride`](https://docs.mongodb.com/v4.2/reference/parameters/#param.tlsX509ClusterAuthDNOverride) 如果设置),客户端连接将被拒绝。只有 [集群成员x509证书](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/#x509-member-certificate) 应该使用相同的`O`, `OU`, 和`DC`组合作为授予完全权限。 #### MongoDB Deployment Configured for x.509 (Using TLS Options) NOTE The procedures in this section use the `tls` settings/option (Available in MongoDB 4.2). For procedures using their `ssl` aliases, see [MongoDB Deployment Configured for x.509 (Using SSL Options)](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#x509-deploy-ssl). The `tls` settings/options provide **identical** functionality as the `ssl` options since MongoDB has always supported TLS 1.0 and later. * Command-Options * Configuration File You can configure a [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) instance for x.509 authentication from the command-line. For example, to configure a standalone [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) instance: ``` mongod --tlsMode requireTLS --tlsCertificateKeyFile --tlsCAFile --bind_ip ``` Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the `--bind_ip`. For more information, see [Localhost Binding Compatibility Changes](https://docs.mongodb.com/v4.2/release-notes/3.6-compatibility/#bind-ip-compatibility). The x.509 configuration requires: | Option | Notes | | --------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | [`--tlsMode`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-tlsmode) | Specify `requireTLS`. | | [`--tlsCertificateKeyFile`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-tlscertificatekeyfile) | The instance’s x.509 certificate to present to clients. | | [`--tlsCAFile`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-tlscafile) | Certificate Authority file to verify the certificates presented to the instance. | To set up x.509 authentication for replica sets or sharded clusters, see [Use x.509 Certificate for Membership Authentication](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/). #### 在部署的MongoDB上配置x.509(使用TLS选项) > 请注意 本节中使用`tls`设置/选项(在MongoDB 4.2中可用)。对于使用 `ssl` 别名,请参见 [使用x.509配置部署的MongoDB(使用TLS选项)](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#x509-deploy-ssl) 。 `tls`设置/选项提供了与`ssl`选项相同的功能,因为MongoDB一直支持tls 1.0和以后的版本。 * 命令选项 * 配置文件 您可以通过命令行配置一个 [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) 实例用于x.509身份验证。例如,配置一个 [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) 实例: ``` mongod --tlsMode requireTLS --tlsCertificateKeyFile --tlsCAFile --bind_ip ``` 根据需要配置可用其他选项。例如,如果您希望远程客户端连接到您部署的MongoDB数据库,或者您的部署MongoDB运行在不同的主机上,请指定`--bind_ip`。有关更多信息,请参见 [本地主机绑定兼容性更改](https://docs.mongodb.com/v4.2/release-notes/3.6-compatibility/#bind-ip-compatibility) 。 x.509配置包含: | 选项 | 说明 | | --------------------------------------------------------------------------------------------------------------------------- | ------------------ | | [`--tlsMode`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-tlsmode) | 指定`requireTLS`. | | [`--tlsCertificateKeyFile`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-tlscertificatekeyfile) | 提供给客户端的x.509证书 实例 | | [`--tlsCAFile`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-tlscafile) | 证书权威文件,以验证呈现给实例的证书 | 要为复制集或分片集群设置x.509身份验证,请参见 [为成员身份验证使用x.509证书](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/) 。 #### MongoDB Deployment Configured for x.509 (Using SSL Options) NOTE The procedures in this section use the `ssl` settings/option. For procedures using their `tls` aliases (Available in MongoDB 4.2), see [MongoDB Deployment Configured for x.509 (Using TLS Options)](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#x509-deploy-tls). The `tls` settings/options provide **identical** functionality as the `ssl` options since MongoDB has always supported TLS 1.0 and later. * Command-Options * Configuration File You can configure a [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) instance for x.509 authentication from the command-line. For example, to configure a standalone [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) instance: ``` mongod --sslMode requireSSL --sslPEMKeyFile --sslCAFile --bind_ip ``` Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the `--bind_ip`. For more information, see [Localhost Binding Compatibility Changes](https://docs.mongodb.com/v4.2/release-notes/3.6-compatibility/#bind-ip-compatibility). The x.509 configuration for a standalone requires: | Option | Notes | | ----------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | [`--sslMode`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-sslmode) | Specify `requireSSL`. | | [`--sslPEMKeyFile`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-sslpemkeyfile) | The instance’s x.509 certificate. | | [`--sslCAFile`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-sslcafile) | Certificate Authority file to verify the certificate presented to the instance. | To set up x.509 authentication for replica sets or sharded clusters, see [Use x.509 Certificate for Membership Authentication](https://docs.mongodb.com/v4.2/tutorial/configure-x509-member-authentication/). #### 在部署的MongoDB上配置x.509(使用SSL选项) > 注意 本节中使用 `ssl` 设置/选项。有关使用`tls`别名(在MongoDB 4.2版本中可用),请参见 [使用x.509配置部署的MongoDB(使用TLS选项)](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#x509-deploy-tls) 。 `tls` 设置/选项提供了与`ssl` 选项相同的功能,因为MongoDB一直支持tls 1.0和以后的版本。 > > * 命令选项 > * 配置文件 > > 您可以通过命令行配置一个[`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) 实例用于x.509身份验证。例如,配置一个独立的 [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) 实例: ``` mongod --sslMode requireSSL --sslPEMKeyFile --sslCAFile --bind_ip ``` 根据需要配置可用其他选项。例如,如果您希望远程客户端连接到部署的MongoDB数据库,或者您的部署MongoDB运行在不同的主机上,请指定`--bind_ip`。有关更多信息,请参见 [本地主机绑定兼容性更改](https://docs.mongodb.com/v4.2/release-notes/3.6-compatibility/#bind-ip-compatibility) 。 x.509配置包括: | 选项 | 说明 | | ----------------------------------------------------------------------------------------------------------- | ------------------ | | [`--sslMode`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-sslmode) | 指定 `requireSSL`. | | [`--sslPEMKeyFile`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-sslpemkeyfile) | x.509 证书实例 | | [`--sslCAFile`](https://docs.mongodb.com/v4.2/reference/program/mongod/#cmdoption-mongod-sslcafile) | 证书权威文件,以验证呈现给实例的证书 | ### Procedures #### Add x.509 Certificate `subject` as a User To authenticate with a client certificate, you must first add the value of the `subject` from the client certificate as a MongoDB user to the `$external` database. Each unique x.509 client certificate corresponds to a single MongoDB user; i.e. you cannot use a single client certificate to authenticate more than one MongoDB user. *Changed in version 3.6.3:* To use sessions with `$external` authentication users (i.e. Kerberos, LDAP, x.509 users), the usernames cannot be greater than 10k bytes. NOTE The RDNs in the `subject` string must be compatible with the [RFC2253](https://www.ietf.org/rfc/rfc2253.txt) standard. 1. You can retrieve the `RFC2253` formatted `subject` from the client certificate with the following command: ``` openssl x509 -in -inform PEM -subject -nameopt RFC2253 ``` The command returns the `subject` string as well as certificate: ``` subject= CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry -----BEGIN CERTIFICATE----- # ... -----END CERTIFICATE----- ``` 1. Add the `RFC2253` compliant value of the `subject` as a user. Omit spaces as needed. For example, the following adds a user and grants the user [`readWrite`](https://docs.mongodb.com/v4.2/reference/built-in-roles/#readWrite) role in the `test` database and the [`userAdminAnyDatabase`](https://docs.mongodb.com/v4.2/reference/built-in-roles/#userAdminAnyDatabase) role: copycopied ``` db.getSiblingDB("$external").runCommand( { createUser: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry", roles: [ { role: "readWrite", db: "test" }, { role: "userAdminAnyDatabase", db: "admin" } ], writeConcern: { w: "majority" , wtimeout: 5000 } } ) ``` See [Manage Users and Roles](https://docs.mongodb.com/v4.2/tutorial/manage-users-and-roles/) for details on adding a user with roles. ### 流程 #### 添加x.509证书的`subject`作为用户 通过客户端证书进行授权,你必须首先从客户端证书添加`subject`值来作为MongoDB用户,在 `$external`数据库中,每个x.509客户端证书相当于一个MongoDB用户,例如,你不能用一个客户端证书来认证多个MongoDB用户 \_在版本3.6.3中\_使用`$external`身份验证用户(如Kerberos, LDAP, x.509用户)的会话,用户名不能大于10k字节。 > 注意 `subject` 字符串中的RDNs必须兼容 [RFC2253](https://www.ietf.org/rfc/rfc2253.txt) 标准。 你可以通过如下命令,从客户端证书来还原`RFC2253`格式的`subject` : ``` openssl x509 -in -inform PEM -subject -nameopt RFC2253 ``` 下面命令返回`subject`字符串以及证书: ``` subject= CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry -----BEGIN CERTIFICATE----- # ... -----END CERTIFICATE----- ``` #### Authenticate with a x.509 Certificate (Using `tls` Options) NOTE The procedures in this section use the `tls` settings/option (Available in MongoDB 4.2). For procedures using their `ssl` aliases, see [Authenticate with a x.509 Certificate (Using ssl Options)](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#authenticate-with-x509-cert-ssl). The `tls` settings/options provide **identical** functionality as the `ssl` options since MongoDB has always supported TLS 1.0 and later. After you have [added the x.509 client certificate subject as a corresponding MongoDB user](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#addx509subjectuser), you can authenticate with the client certificate. * Connect with Authentication * Authenticate after Connection To authenticate during connection: ``` mongo --tls --tlsCertificateKeyFile --tlsCAFile --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 ``` | Option | Notes | | ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [`--tls`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-tls) | | | [`--tlsCertificateKeyFile`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-tlscertificatekeyfile) | Client’s x.509 file. | | [`--tlsCAFile`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-tlscafile) | Certificate Authority file to verify the certificate presented by the [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) instance. | | [`--authenticationDatabase`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-authenticationdatabase) | Specify `'$external'`. | | [`--authenticationMechanism`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-authenticationmechanism) | Specify `MONGODB-X509`. | #### 认证x.509证书 (使用`tls`选项) > 注意 本节中使用 `tls` 设置/选项(在MongoDB 4.2版本中可用)。有关使用`ssl`别名,请参见 [使用x.509证书权限认证(用ssl选项)](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#authenticate-with-x509-cert-ssl) 。 `tls`设置/选项提供了与`ssl`选项相同的功能,因为MongoDB一直支持tls 1.0和以后的版本。 在您 [添加x.509客户端证书的subject相当于创建一个MongoDB用户](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#addx509subjectuser) 之后,您可以使用客户端证书进行身份验证。 * 连接认证 * 连接后进行认证 在连接时进行身份验证: ``` mongo --tls --tlsCertificateKeyFile --tlsCAFile --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 ``` | 选项 | 说明 | | ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | | [`--tls`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-tls) | | | [`--tlsCertificateKeyFile`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-tlscertificatekeyfile) | 客户端的x.509文件 | | [`--tlsCAFile`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-tlscafile) | 证书颁发机构文件来验证提供的实例,通过 [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) | | [`--authenticationDatabase`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-authenticationdatabase) | 指定`'$external'`. | | [`--authenticationMechanism`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-authenticationmechanism) | 指定`MONGODB-X509`. | #### Authenticate with a x.509 Certificate (Using `ssl` Options) NOTE The procedures in this section use the `ssl` settings/options. For procedures using their `tls` (Available in MongoDB 4.2) aliases, see [Authenticate with a x.509 Certificate (Using tls Options)](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#authenticate-with-x509-cert). The `tls` settings/options provide **identical** functionality as the `ssl` options since MongoDB has always supported TLS 1.0 and later. After you have [added the x.509 client certificate subject as a corresponding MongoDB user](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#addx509subjectuser), you can authenticate with the client certificate. * Connect with Authentication * Authenticate after Connection To authenticate during connection: ``` mongo --ssl --sslPEMKeyFile --sslCAFile --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 ``` | Option | Notes | | ----------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [`--ssl`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-ssl) | | | [`--sslPEMKeyFile`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-sslpemkeyfile) | Client’s x.509 file. | | [`--sslCAFile`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-sslcafile) | Certificate Authority file to verify the certificate presented by [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod)/[`mongos`](https://docs.mongodb.com/v4.2/reference/program/mongos/#bin.mongos) instance. | | [`--authenticationDatabase`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-authenticationdatabase) | Specify `'$external'`. | | [`--authenticationMechanism`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-authenticationmechanism) | Specify `MONGODB-X509`. | #### 认证x.509证书 (用`ssl`选项) > 注意 > > 本节中使用`ssl`设置/选项。有关使用`tls` (在MongoDB 4.2版本中可用)别名,请参见[使用x.509证书进行验证(用tls选项)](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#addx509subjectuser) 。 `tls`设置/选项提供了与 `ssl` 选项相同的功能,因为MongoDB一直支持tls 1.0和以后的版本。 在您 [添加x.509客户端证书的subject相当于创建一个MongoDB用户](https://docs.mongodb.com/v4.2/tutorial/configure-x509-client-authentication/#addx509subjectuser) 之后,您可以使用客户端证书进行身份验证。 * 使用授权信息进行连接 * 连接后进行认证 在连接时进行身份验证: ``` mongo --ssl --sslPEMKeyFile --sslCAFile --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 ``` | 选项 | 说明 | | ----------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [`--ssl`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-ssl) | | | [`--sslPEMKeyFile`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-sslpemkeyfile) | 客户端的x.509文件 | | [`--sslCAFile`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-sslcafile) | 证书颁发机构文件来验证提供的实例,通过 [`mongod`](https://docs.mongodb.com/v4.2/reference/program/mongod/#bin.mongod) / [`mongos`](https://docs.mongodb.com/v4.2/reference/program/mongos/#bin.mongos) | | [`--authenticationDatabase`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-authenticationdatabase) | Specify `'$external'`. | | [`--authenticationMechanism`](https://docs.mongodb.com/v4.2/reference/program/mongo/#cmdoption-mongo-authenticationmechanism) | Specify `MONGODB-X509`. | 英文原文地址: 译者:管祥青