Configure an encrypted database connection with TLS/SSL for MongoDB

Last updated: July 14, 2025

Tip: TLS/SSL is not required to use Liquibase Pro and MongoDB. This is only required if you are using TLS/SSL because it is active on your MongoDB server or because you are using MongoDB Atlas.

Before you begin

Procedure

1

Add the --tlsCertificateKeyFile certificate that is produced in the configuration step above to the Java keystore.

The --tlsCertificateKeyFile specifies the .pem file that contains mongosh's certificate.

Linux/macOS
sudo keytool -importcert -trustcacerts -file PATH_TO_CERT_FILE/mongodb-cert.crt -cacerts -storepass changeit -alias MongoDB
Windows
keytool -importcert -trustcacerts -file PATH_TO_CERT_FILE\\mongodb-cert.crt -cacerts -storepass changeit -alias mongodb

Note: The default password for keystore is changeit.

2

Specify your TLS connection information in the Liquibase --url argument.

Use the format mongodb+srv://<hostname>/<database>. You can pass this argument in CLI, liquibase.properties file, or set it as an environment variable.

liquibase.properties file: liquibase.command.url=mongodb://localhost:27017/lbcat?tls=true&tlsCAFile=mongodb.pem Environment variable: LIQUIBASE_COMMAND_URL=mongodb://localhost:27017/lbcat?tls=true&tlsCAFile=mongodb.pem

If you are using a Java keystore that is not the default, you must add the necessary environment variables before running Liquibase commands.

Linux/macOS
export JAVA_OPTS="-Djavax.net.ssl.keyStore=PATH_TO_KEYSTORE/cacerts -Djavax.net.ssl.keyStorePassword=PASSWORD"
Windows
set JAVA_OPTS=-Djavax.net.ssl.keyStore="PATH_TO_KEYSTORE\\cacerts" -Djavax.net.ssl.keyStorePassword=PASSWORD

Do not use setx as it adds keyStorePassword to system environment variables.

3

(Optional) Troubleshooting errors

After configuring TLS/SSL for Liquibase and MongoDB, you may come across an error that states:

Error: Could not find or load main class Files\\Java\\{jdk-version}.security.cacerts Caused by: java.lang.ClassNotFoundException: Files\\Java\\{jdk-version}.security.cacerts

This means that Liquibase is struggling to find the certification file. To resolve the issue, run the following command in the CLI.

Linux/macOS
export JAVA_OPTS=-Djavax.net.ssl.keyStore=$JAVA_HOME/lib/security/cacertsInstall drivers
Windows
set JAVA_OPTS=-Djavax.net.ssl.keyStore="%JAVA_HOME%\\lib\\security\\cacerts"