-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
Copy pathdb.rotateCertificates.txt
191 lines (128 loc) · 5.44 KB
/
db.rotateCertificates.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
=======================
db.rotateCertificates()
=======================
.. default-domain:: mongodb
.. contents:: On this page
:local:
:backlinks: none
:depth: 1
:class: singlecol
Definition
----------
.. versionadded:: 5.0
.. method:: db.rotateCertificates(message)
Rotates the currently used :ref:`TLS certificates
<rotated-certs-method>` for a :binary:`~bin.mongod` or
:binary:`~bin.mongos` to use the updated values for these
certificates defined in the :doc:`configuration file
</reference/configuration-options>`.
.. code-block:: javascript
db.rotateCertificates(message)
The :method:`db.rotateCertificates()` method takes the following
optional argument:
.. list-table::
:header-rows: 1
:widths: 20 20 80
* - Parameter
- Type
- Description
* - ``message``
- string
- *optional* A message logged by the server to the log file and
audit file.
The :method:`db.rotateCertificates()` method wraps the
:dbcommand:`rotateCertificates` command.
Compatibility
-------------
This method is available in deployments hosted in the following environments:
.. include:: /includes/fact-environments-no-atlas-support.rst
.. include:: /includes/fact-environments-onprem-only.rst
Output
------
The :method:`db.rotateCertificates()` method returns a document with
the following field:
.. list-table::
:header-rows: 1
:widths: 20 20 80
* - Field
- Type
- Description
* - ``ok``
- bool
- Contains the command's execution status. ``true`` on success, or
``false`` if an error occurred. If ``false``, an ``errmsg`` field
is additionally provided with a detailed error message.
Behavior
--------
.. _rotated-certs-method:
Rotation includes the following certificates:
- :setting:`TLS Certificates <net.tls.certificateKeyFile>`
- :setting:`CRL (Certificate Revocation List) files <net.tls.CRLFile>`
(on Linux and Windows platforms)
- :setting:`CA (Certificate Authority) files <net.tls.CAFile>`
To rotate one or more of these certificates:
#. Replace the certificate or certificates you wish to rotate on the
filesystem, noting the following constraints:
- Each new certificate must have the *same filename* and
*same filepath* as the certificate it is replacing.
- If rotating an encrypted :setting:`TLS Certificate
<net.tls.certificateKeyFile>`, its password must be the same as
the password for the old certificate (as specified to the
:setting:`~net.tls.certificateKeyFilePassword` configuration file
setting). Certificate rotation does not support the interactive
password prompt.
#. Connect :binary:`~bin.mongosh` to the :binary:`~bin.mongod` or
:binary:`~bin.mongos` instance that you wish to perform certificate
rotation on.
#. Run :method:`db.rotateCertificates()` to rotate the certificates used
by the :binary:`~bin.mongod` or :binary:`~bin.mongos` instance.
When certificate rotation takes place:
- Existing connections to the :binary:`~bin.mongod` or
:binary:`~bin.mongos` instance are not terminated, and will continue
to use the old certificates.
- Any new connections will use the new certificates.
If you have configured :parameter:`OCSP <ocspEnabled>` for your
deployment, the :method:`db.rotateCertificates()` method will also fetch
stapled OCSP responses during rotation.
The :method:`db.rotateCertificates()` method may be run on a running
:binary:`~bin.mongod` or :binary:`~bin.mongos` regardless of replication
status.
Only one instance of :method:`db.rotateCertificates()` or
:dbcommand:`rotateCertificates` may run on each :binary:`~bin.mongod` or
:binary:`~bin.mongos` process at a time. Attempting to initiate a second
instance while one is already running will result in an error.
Incorrect, expired, revoked, or missing certificate files will cause the
certificate rotation to fail, but will not invalidate the existing
TLS configuration or terminate the running :binary:`~bin.mongod` or
:binary:`~bin.mongos` process.
If the :binary:`~bin.mongod` or :binary:`~bin.mongos` is running with
:option:`--tlsCertificateSelector <mongod --tlsCertificateSelector>` set
to ``thumbprint``, :method:`db.rotateCertificates()` will fail and write
a warning message to the log file.
Logging
-------
On successful rotation, the subject names, thumbprints, and the
validity period of the server and cluster certificate thumbprints are
logged to the configured :ref:`log destination
<log-message-destinations>`. If :ref:`auditing <auditing>` is
enabled, this information is also written to the audit log.
On Linux and Windows platforms, if a :setting:`CRL file
<net.tls.CRLFile>` is present, its thumbprint and validity period are
also logged to these locations.
Required Access
---------------
.. |rotate-op| replace:: :method:`db.rotateCertificates()` method
.. include:: /includes/access-rotate-certificates.rst
Example
-------
The following operation rotates the certificates on a running
:binary:`~bin.mongod` instance, after having made the appropriate
updates to the configuration file to specify the updated certificate
information:
.. code-block:: javascript
db.rotateCertificates()
The following performs the same as above, but also writes a custom log
message at rotation time to the :ref:`log file
<log-message-destinations>` and :ref:`audit file <auditing>`:
.. code-block:: javascript
db.rotateCertificates("message": "Rotating certificates")