Skip to main content

Upcoming change to TLS certificates: Addition of Google Trust Services with Let's Encrypt

Diogo avatar
Written by Diogo
Updated over 2 weeks ago

Background

MongoDB Atlas requires Transport Layer Security (TLS) encryption for customer data and intra-cluster network communications. MongoDB Atlas uses Let’s Encrypt as the Certificate Authority (CA) for TLS certificates for all clusters.

Starting in June of 2025, we are adding Google Trust Services as an additional Certificate Authority for Atlas clusters to improve availability. You must ensure that your application recognizes certificates from both Let's Encrypt and Google Trust Services before this change:

  • Add GTS Root R1, R2, R3 and R4 (from Google Trust Services) into your application’s trust store. Doing this ensures your application recognizes certificates from both CAs.

  • As a best practice, avoid hardcoding or pinning intermediate certificates.

    • Hardcoding (or pinning) specific intermediate certificates introduces operational risks. If an intermediate certificate from Let’s Encrypt or Google Trust Services is rotated or replaced, and that certificate is pinned, your application might fail to connect, leading to an outage.

    • Instead of pinning intermediate certificates, pin the Root Certificate Authority (CA) certificate, if required. This ensures that your application remains operational even if intermediate certificates are updated or replaced. See the MongoDB documentation and Google Trust Services Store for more information.

You cannot control the timing of the TLS CA change; however, it will respect your configured project maintenance window.

For your reference, the root CA certificates for the Google Trust Store can be found at https://pki.goog/repository/ under the "Root CAs" section.

How to check if the certificates are present in your environment

You can verify whether these certificates are already included in your environment by following these steps:

  1. Use the following curl command to trace the connection and log the details:

    curl --trace - https://<node_hostname>:27017 | grep -i "CAfile"

  2. Once you have the path to your CA file, use the following command to check for specific root certificates:

    cat <CA File> | grep -E "GTS Root R1|GTS Root R2|GTS Root R3|GTS Root R4|ISRG Root X1"

    Replace <CA File> with the actual path to your CA file.

  3. In the output, you should look for entries similar to:

    GTS Root R1, O=Google Trust Services LLC, C=US ....R2 ....R3 GTS Root R4, O=Google Trust Services LLC, C=US

You can also use the following command which will establishes a secure TLS connection to the MongoDB Atlas cluster and retrieve the SSL/TLS certificates presented by the server. It helps in verifying the certificate chain.

openssl s_client -connect <node_hostname>:27017 -showcerts

Note: Replace <node_hostname> with the hostname of any primary or secondary node in your cluster. You can find these details in the "View Monitoring" or METRICS tab in the Atlas UI (for example, clustername-shard-00-01.xxxxx.mongodb.net).

For Linux environment

The location of the default root certificates store varies depending on operating system and SSL/TLS library used. However, on most Linux distributions, the default root certificates can be found under one of the following paths:

  • /usr/local/share/ca-certificates: Debian, Ubuntu, older RHEL, and CentOS versions

  • /etc/pki/ca-trust/source/anchors and /usr/share/pki/ca-trust-source: Fedora, newer RHEL, and CentOS versions

  • /var/lib/ca-certificates: OpenSUSE

Other certificate paths may include:

  • /etc/ssl/certs: Debian, Ubuntu

  • /etc/pki/tls/certs: RHEL, CentOS

Some certificates in these directories are likely symbolic links to files in other directories. You can use the steps mentioned above to check for the presence of GTS Root Certificates on your Linux machines.

For Azure and Windows-based virtual machines

To verify certificates in the Local Machine Trusted Root Certification Authorities store on a Windows system, you can use the following PowerShell command:

Get-ChildItem -Path Cert:\LocalMachine\Root

You can also check the Trusted Root Certification Authorities Certificate Store through the Windows GUI. For detailed instructions, see the Azure documentation on Trusted Root Certification Authorities Certificate Store.

Note: For App Services and Cloud Functions that are Azure cloud offerings, we recommend reaching out to Azure support. They can provide assistance in verifying CA certificate details from the backend environment.

For AWS environment

If your application is hosted on AWS (EC2 machine), you can check if the required CAs are already available in your environment by running the following command from the environment's CLI:

openssl x509 -in /etc/ssl/certs/ca-bundle.crt -text -noout | grep -A2 "GTS Root R"

Alternatively, if you're using AWS Certificate Manager, see the official AWS documentation to list the certificates.

Note: If your application server is running inside a container (AWS ECS/EKS) or using AWS Lamda, you must contact AWS support to verify whether the container/pod's trust store contains the GTS Root R1, R2, R3 and R4 certificates.

For Java-based applications

Java applications might use their own root certificates store or maintain their own set of trusted CAs. However, not every Java release contains the GTS Root R1, R2, R3 and R4 CA certificate.

The following table lists each Oracle Java version that does include the GTS Root R1, R2, R3 and R4 CA certificates.

Note: For some Java versions, the GTS certificates were only added in a later patch release.

Oracle Java versions

Version

Current Version?

Release

7

No

7u391 and later

8

Yes

8u381 and later

11

Yes

11.0.20 and later

17

Yes

17.0.8 and later

20

No

20.0.2 and later

21

Yes

All releases

22

No

All releases

23

Yes

All releases

We suggest checking if GTS Root R1, R2, R3 and R4 certificates are already listed in your Java trust store using the keytool (for Solaris, Linux, or macOS; or Windows). For additional details, see the Java-Security documentation.

Note: The following sections are based on the documentation for Oracle JDK, so some parts may be inapplicable to your JDK or to the custom TLS/SSL implementation you use.

  1. To list the certificates in the trust store:

    keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass <password>

  2. To ensure if GTS Root R1, R2, R3 and R4 and ISRG Root X1 are present by filtering the output:

    keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass <password> | grep -E "gts-root|isrg-root"

  3. If these are not part of your trust store, you may -importcerts using the keytool. For example:

    keytool -importcert -file <certificate_file> --alias <any-alias_name>

See the Enable TLS/SSL on a Connection in Java documentation for more details. For Kotlin based applications, see the Enable TLS/SSL on a Connection documentation.

For Python-based applications

  1. Locate the certificate bundle:

    • Python uses the certifi library for its CA bundle. You can find the location of this bundle with:

      python -m pip show certifi python -c "import certifi; print(certifi.where())"

      See the PyPi certifi documentation for additional details.

  2. Check for required certificates:

    • Open the CA bundle file (located in the path printed by certifi.where()) and search for GTS Root R1, R2, R3 and R4, and ISRG Root X1:

      cat <path_to_certifi_bundle> | grep -E "GTS Root R1|GTS Root R2|GTS Root R3|GTS Root R4|ISRG Root X1"

See the Configure Transport Layer Security (TLS) with Python documentation for more details.

Retrieving root certificates in Node.js

Similar to Java, Node.js maintains its own set of trusted CAs, but not every Node.js release contains the GTS Root R1, R2, R3 and R4 CA certificate.

The following table lists each Node.js version that does include the GTS Root R1, R2, R3 and R4 CA certificates.

Note: For some Node.js versions, the GTS certificates were only added in a later patch release.

Node.js versions

Version

Current Version?

Release

10

No

10.16.0 and later

11

No

11.6.0 and later

12

No

All releases

13

No

All releases

14

No

All releases

15

No

All releases

16

No

All releases

17

No

All releases

18

Yes

All releases

19

No

All releases

20

Yes

All releases

21

No

All releases

22

Yes

All releases

23

Yes

All releases

24

Yes

All releases

As previously mentioned, Node.js maintains its own list of trusted root certificates accessible through the tls.rootCertificates property. This property returns an array of PEM-encoded certificates. You can iterate through this array to check for specific certificates, such as GTS Root R1, R2, R3 and R4.

Example script:

const tls = require('tls'); // Retrieve the list of root certificates const rootCerts = tls.rootCertificates; // Check for GTS Root R1, R2, R3 and R4 const gtsRootR1 = rootCerts.find(cert => cert.includes('GTS Root R1')); ..R2 ..R3 const gtsRootR4 = rootCerts.find(cert => cert.includes('GTS Root R4')); console.log(`GTS Root R1 Trusted: ${gtsRootR1 ? 'Yes' : 'No'}`); ..R2 ..R3 console.log(`GTS Root R4 Trusted: ${gtsRootR4 ? 'Yes' : 'No'}`);

See the Node.js tls.rootCertificates Property documentation for more details.


The MongoDB drivers usually rely on the operating system's trust store (such as Windows or Linux) to validate TLS certificates, unless a custom trust store is configured for your application. If the required certificates are already included in your environment's trust store, no additional action is necessary.

Some network devices, such as firewalls or proxies, might intercept SSL connections for monitoring or filtering and present their own certificates instead of the ones from MongoDB Atlas. If these CAs are not in the trust store, you may experience an SSLHandshakeException error.

FAQs

Do the above changes apply to all cluster nodes?

The above changes apply to all Atlas dedicated tier clusters.

What changes is Atlas making with respect to the X.509 Certificate Authority?

MongoDB is onboarding Google Trust Service (GTS) as an alternative CA for Atlas. It will be actively used with Let's Encrypt Certificate Authority at no additional cost.

What is the expected timeline?

We will start making the changes from June 2025 onwards.

Are the new CA certificates cross-signed by both Let's Encrypt and Google Trust Service?

In a cluster, TLS certificates will be signed by Let’s Encrypt for some nodes and by Google Trust Services for others. Certificates will not be cross-signed.

Are these changes going to affect X509 Database authentication?

For database users leveraging X.509 certificate-based authentication within MongoDB, there is no impact. X.509 certificates are used for authenticating users accessing the MongoDB database, and this process is distinct from the TLS certificates used for securing data in transit.

Why should customers using Java and Node upgrade their patch version if the GTS certs are not present or bundled with the current language version?

If the certificates are not present with either Java JDK or Node.js bundle, then it will not do a lookup on the system-hosted CA.

To clarify, if the Google Trust Services (GTS) certificates are not bundled with the Java JDK or Node.js runtime being used, those applications might not automatically fall back to the system-hosted Certificate Authority (CA) store for verification. This means that applications using these runtimes could fail TLS connections to services that use GTS-issued certificates.

We recommend installing Node.js and Java JDK versions that include these certificates by default. If upgrading is not an option, manually import the required GTS certificates into the application's trust store. See the necessary steps mentioned earlier in the article.

Earlier communications only mentioned GTS Root R1 and R2—why are we now asking for GTS Root R3 and R4 as well? Will our setup still work?

Yes, your setup will continue to work without issues if you have already added GTS Root R1 and R2 to your application’s trust store. We’re now recommending the inclusion of GTS Root R3 and R4 in preparation for future support of TLS 1.3, which will rely on these additional roots. Adding R3 and R4 now is a proactive step to ensure long-term compatibility and minimize future updates when TLS 1.3 is adopted.

Did this answer your question?