---
title: Verify MongoDB SSL certificates
description: You can configure ABS to verify the validity of MongoDB server certificate, when it tries to connect with MongoDB. This is an optional check and the following diagram shows the summary of steps involved in this verification.
component: pingintelligence
version: 5.1
page_id: pingintelligence:abs_ai_engine:pingintelligence_verify_mongodb_ssl_certificates
canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/abs_ai_engine/pingintelligence_verify_mongodb_ssl_certificates.html
revdate: April 3, 2024
section_ids:
  using-a-ca-signed-certificate: Using a CA-signed certificate
---

# Verify MongoDB SSL certificates

You can configure ABS to verify the validity of MongoDB server certificate, when it tries to connect with MongoDB. This is an optional check and the following diagram shows the summary of steps involved in this verification.

\+ image::pingintelligence:ROOT:pbm1606556564186.png\[alt="Steps for verification of MongoDB SSL certificate"]

Ensure the following steps are completed, so that ABS can verify MongoDB server certificate before connecting to it :

1. Check if the`mongo_ssl` parameter in the `/<pi_install_path>/pingidentity/abs/config/abs.properties` file is set true.

2. Check if the `mongo_certificate` parameter in the `/<pi_install_path>/pingidentity/abs/config/abs.properties` file is set true.

3. Import the MongoDB Server certificate into the `abs.jks` truststore, using either of the following commands as applicable. The commands prompt for a `destination keystore password`, and the password entered should be same as the `jks_password` configured in the [abs.properties](pingintelligence_abs_configuration.html) file.

   ```
   # keytool -import -file <mongodb-cert.crt> -storetype JKS -keystore /<pi_install_path>/pingidentity/abs/config/ssl/abs.jks
   ```

   If the MongoDB server certificate is in `.pem` format then use the following command to import the certificate in to the ABS truststore.

   ```
   # keytool -import -v -trustcacerts -file server.pem -keystore /<pi_install_path>/pingidentity/abs/config/ssl/abs.jks -storetype JKS
   ```

When ABS starts, it loads the certificates available in `abs.jks` truststore. If the server certificate presented by MongoDB gets validated, ABS connects with it and completes the booting.

If the SSL server certificate verification fails, ABS will not start and a `CertificateException` is thrown by ABS. The error is logged in`/<pi_install_ path>/pingidentity/abs/abs.log.`

|   |                                                                                                                                                                         |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | If ABS is running and the MongoDB server certificate expires in between, it will not stop. An error message is logged in`/<pi_install_ path>/pingidentity/abs/abs.log.` |

## Using a CA-signed certificate

You can also use a CA-signed certificate to verify the MongoDB server certificate. For that, import your existing CA-signed certificate into ABS by following the instructions explained in [Import existing CA-signed certificates](pingintelligence_import_ca_signed_certificates.html). Once the certificate is imported, complete Step-1 through Step-3 above so that ABS can verify MongoDB server certificate.