Configure encrypted database connection with TLS/SSL for MongoDB

Configure an encrypted database connection with TLS/SSL for MongoDB

Last updated: July 14, 2025

Tip: TLS/SSL is not required to use Liquibase Pro and MongoDB. This is only required if you are using TLS/SSL because it is active on your MongoDB server or because you are using MongoDB Atlas.

Before you begin

Configure the MongoDB instance by following Mongo's configuration guide.
Verify that it works by following Mongo's verification guide.

Procedure

Add the --tlsCertificateKeyFile certificate that is produced in the configuration step above to the Java keystore.

The --tlsCertificateKeyFile specifies the .pem file that contains mongosh's certificate.

Linux/macOS

sudo keytool -importcert -trustcacerts -file PATH_TO_CERT_FILE/mongodb-cert.crt -cacerts -storepass changeit -alias MongoDB

Windows

keytool -importcert -trustcacerts -file PATH_TO_CERT_FILE\\mongodb-cert.crt -cacerts -storepass changeit -alias mongodb

Note: The default password for keystore is changeit.

Specify your TLS connection information in the Liquibase --url argument.

Use the format mongodb+srv://<hostname>/<database>. You can pass this argument in CLI, liquibase.properties file, or set it as an environment variable.

liquibase.properties file: liquibase.command.url=mongodb://localhost:27017/lbcat?tls=true&tlsCAFile=mongodb.pem Environment variable: LIQUIBASE_COMMAND_URL=mongodb://localhost:27017/lbcat?tls=true&tlsCAFile=mongodb.pem

If you are using a Java keystore that is not the default, you must add the necessary environment variables before running Liquibase commands.

Linux/macOS

export JAVA_OPTS="-Djavax.net.ssl.keyStore=PATH_TO_KEYSTORE/cacerts -Djavax.net.ssl.keyStorePassword=PASSWORD"

Windows

set JAVA_OPTS=-Djavax.net.ssl.keyStore="PATH_TO_KEYSTORE\\cacerts" -Djavax.net.ssl.keyStorePassword=PASSWORD

Do not use setx as it adds keyStorePassword to system environment variables.

(Optional) Troubleshooting errors

After configuring TLS/SSL for Liquibase and MongoDB, you may come across an error that states:

Error: Could not find or load main class Files\\Java\\{jdk-version}.security.cacerts Caused by: java.lang.ClassNotFoundException: Files\\Java\\{jdk-version}.security.cacerts

This means that Liquibase is struggling to find the certification file. To resolve the issue, run the following command in the CLI.

Linux/macOS

export JAVA_OPTS=-Djavax.net.ssl.keyStore=$JAVA_HOME/lib/security/cacertsInstall drivers

Windows

set JAVA_OPTS=-Djavax.net.ssl.keyStore="%JAVA_HOME%\\lib\\security\\cacerts"