Configure an encrypted database connection with TLS/SSL for MongoDB
Last updated: July 14, 2025
Tip: TLS/SSL is not required to use Liquibase Pro and MongoDB. This is only required if you are using TLS/SSL because it is active on your MongoDB server or because you are using MongoDB Atlas.
Before you begin
Configure the MongoDB instance by following Mongo's configuration guide.
Verify that it works by following Mongo's verification guide.
Procedure
Add the --tlsCertificateKeyFile certificate that is produced in the configuration step above to the Java keystore.
The --tlsCertificateKeyFile specifies the .pem file that contains mongosh's certificate.
Linux/macOS
Windows
Note: The default password for keystore is changeit.
Specify your TLS connection information in the Liquibase --url argument.
Use the format mongodb+srv://<hostname>/<database>. You can pass this argument in CLI, liquibase.properties file, or set it as an environment variable.
liquibase.properties file:
liquibase.command.url=mongodb://localhost:27017/lbcat?tls=true&tlsCAFile=mongodb.pem
Environment variable:
LIQUIBASE_COMMAND_URL=mongodb://localhost:27017/lbcat?tls=true&tlsCAFile=mongodb.pem
If you are using a Java keystore that is not the default, you must add the necessary environment variables before running Liquibase commands.
Linux/macOS
Windows
Do not use setx as it adds keyStorePassword to system environment variables.
(Optional) Troubleshooting errors
After configuring TLS/SSL for Liquibase and MongoDB, you may come across an error that states:
Error: Could not find or load main class Files\\Java\\{jdk-version}.security.cacerts Caused by: java.lang.ClassNotFoundException: Files\\Java\\{jdk-version}.security.cacerts
This means that Liquibase is struggling to find the certification file. To resolve the issue, run the following command in the CLI.