New Webinar: Govern roles, shares, and data movement in Snowflake

Learn how to govern Snowflake roles, shares, and data movement without slowing delivery. Join our live webinar on controlling drift, permissions, and audit readiness.

Save your spot

Configure an encrypted database connection with TLS/SSL for MongoDB

Last updated: September 2, 2025

Tip: TLS/SSL is not required to use Liquibase Pro and MongoDB. This is only required if you are using TLS/SSL because it is active on your MongoDB server or because you are using MongoDB Atlas.

Before you begin

Procedure

1

Add the --tlsCertificateKeyFile certificate that is produced in the configuration step above to the Java keystore.

The --tlsCertificateKeyFile specifies the .pem file that contains mongosh's certificate.

Linux/macOS
sudo keytool -importcert -trustcacerts -file PATH_TO_CERT_FILE/mongodb-cert.crt -cacerts -storepass changeit -alias MongoDB
Windows
keytool -importcert -trustcacerts -file PATH_TO_CERT_FILE\\mongodb-cert.crt -cacerts -storepass changeit -alias mongodb

Note: The default password for keystore is changeit.

2

Specify your TLS connection information in the Liquibase --url argument.

Use the format mongodb+srv://<hostname>/<database>. You can pass this argument in CLI, liquibase.properties file, or set it as an environment variable.

liquibase.properties file: liquibase.command.url=mongodb://localhost:27017/lbcat?tls=true&tlsCAFile=mongodb.pem Environment variable: LIQUIBASE_COMMAND_URL=mongodb://localhost:27017/lbcat?tls=true&tlsCAFile=mongodb.pem

If you are using a Java keystore that is not the default, you must add the necessary environment variables before running Liquibase commands.

Linux/macOS
export JAVA_OPTS="-Djavax.net.ssl.keyStore=PATH_TO_KEYSTORE/cacerts -Djavax.net.ssl.keyStorePassword=PASSWORD"
Windows
set JAVA_OPTS=-Djavax.net.ssl.keyStore="PATH_TO_KEYSTORE\\cacerts" -Djavax.net.ssl.keyStorePassword=PASSWORD

Do not use setx as it adds keyStorePassword to system environment variables.

3

(Optional) Troubleshooting errors

After configuring TLS/SSL for Liquibase and MongoDB, you may come across an error that states:

Error: Could not find or load main class Files\\Java\\{jdk-version}.security.cacerts Caused by: java.lang.ClassNotFoundException: Files\\Java\\{jdk-version}.security.cacerts

This means that Liquibase is struggling to find the certification file. To resolve the issue, run the following command in the CLI.

Linux/macOS
export JAVA_OPTS=-Djavax.net.ssl.keyStore=$JAVA_HOME/lib/security/cacertsInstall drivers
Windows
set JAVA_OPTS=-Djavax.net.ssl.keyStore="%JAVA_HOME%\\lib\\security\\cacerts"