MongoDB must include only approved trust anchors in trust stores or certificate stores managed by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279411 | MD8X-00-014000 | SV-279411r1179400_rule | CCI-004909 | medium |
| Description | ||||
| Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates. | ||||
| STIG | Date | |||
| MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide | 2026-02-20 | |||
Details
Check Text (C-279411r1179400_chk)
Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named "net.tls.CAFile".
Example shown below:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
ocsp:
enabled: true
responderURL: <your organization's OCSP responder URL>
If this key is not found, this is a finding.
Fix Text (F-83869r1179399_fix)
Edit the MongoDB configuration file (default location /etc/mongod.conf) and add a key named "net.tls.CAFile" to configure the certificate trust.
Example shown below:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
ocsp:
enabled: true
responderURL: <your organization's OCSP responder URL>