Connecting
PHP Manual

Connecting over SSL

The driver supports connecting to » MongoDB over SSL and can optionally use SSL Stream Context options to provide more details, such as verifying certificates against specific certificate chain, or authenticate to » MongoDB using X509 certificates.

Example #1 Connect to MongoDB Instance with SSL Encryption

<?php
$mc = new MongoClient("mongodb://server1", array("ssl" => true));
?>

Example #2 Connect to MongoDB Instance with SSL Encryption, verifying it is who we think it is

<?php
$SSL_DIR "/vagrant/certs";
$SSL_FILE "CA_Root_Certificate.pem";

$ctx stream_context_create(array(
    "ssl" => array(
        /* Certificate Authority the remote server certificate must be signed by */
        "cafile"            => $SSL_DIR "/" $SSL_FILE,

        /* Disable self signed certificates */
        "allow_self_signed" => false,

        /* Verify the peer certificate against our provided Certificate Authority root certificate */
        "verify_peer"       => true/* Default to false pre PHP 5.6 */

        /* Verify the peer name (e.g. hostname validation) */
        /* Will use the hostname used to connec to the node */
        "verify_peer_name"  => true,

        /* Verify the server certificate has not expired */
        "verify_expiry"     => true/* Only available in the MongoDB PHP Driver */
    ),
);

$mc = new MongoClient(
    "mongodb://server1"
    array("ssl" => true), 
    array("context" => $ctx)
);
?>

Note:

The "verify_peer_name" is new in PHP 5.6.0. The MongoDB driver as of 1.6.5 however has backported this feature into the driver itself, so it works with PHP 5.3 and 5.4 too

Example #3 Connect to MongoDB Instance that Requires Client Certificates

<?php
$SSL_DIR  "/vagrant/certs";
$SSL_FILE "CA_Root_Certificate.pem";

$MYCERT   "/vagrant/certs/ca-signed-client.pem";

$ctx stream_context_create(array(
    "ssl" => array(
        "local_cert"        => $MYCERT,
        /* If the certificate we are providing was passphrase encoded, we need to set it here */
        "passphrase"        => "My Passphrase for the local_cert",

        /* Optionally verify the server is who he says he is */
        "cafile"            => $SSL_DIR "/" $SSL_FILE,
        "allow_self_signed" => false,
        "verify_peer"       => true,
        "verify_peer_name"  => true,
        "verify_expiry"     => true,
    ),
));

$mc = new MongoClient(
    "mongodb://server1/?ssl=true"
    array(), 
    array("context" => $ctx)
);
?>

Example #4 Authenticating with X.509 certificates

The username is the certificate subject from the X509, which can be extracted like this: 

openssl x509 -in /vagrant/certs/ca-signed-client.pem -inform PEM -subject -nameopt RFC2253
<?php
$ctx stream_context_create( array(
    "ssl" => array(
        "local_cert" => "/vagrant/certs/ca-signed-client.pem",
    )
) );

$mc = new MongoClient(
    'mongodb://username@server1/?authSource=$external&authMechanism=MONGODB-X509&ssl=true'
    array(), 
    array("context" => $ctx)
);
?>

Where username is the certificate subject.

Changelog

Version Description
1.5.0 Added support for X509 authentication.
1.4.0 Added support for connecting to SSL enabled MongoDB.