Details
-
Improvement
-
Resolution: Won't Do
-
Major - P3
-
None
-
None
Description
----------------------------
Original Description
I've had to answer a few HELP tickets and mongodb-user emails about setting up TLS on mongod without using client certificates - e.g. you just want TLS like it works on the internet. If the -sslPEMKeyFile contains the full certificate chain, you shouldn't have to specify sslCAFile at all, mongod will load all the certificates in the file and build the CA chain that way. In fact, sslCAFile really means, "use this CA file to validate client connections". For simple deployments with normal TLS certificates issued by a commercial trusted CA, you shouldn't have to specify -sslCAFile anywhere.
For an example of where this gets confusing, you can see this user group posting: https://groups.google.com/d/msgid/mongodb-user/648dde1f-79ef-4056-85a4-7eaa2fcf8178%40googlegroups.com or HELP-7377
----------------------------
Description
Clarify the behavior and purpose of the --sslCAFile parameter of mongo.
[Link to --sslCAFile Definition
Currently we note that the parameter points to the root CA certificate chain, but we don't describe the purpose/use case of the parameter.
We should:
- Add a description of what --sslCAFile should be used for
- "use this CA file to validate client connections"
- Note that --sslCAFile is only required if you want to use client certificates
- Note that --sslCAFile is only required if the full CA certificate chain is not included in the file specified by -sslPEMKeyFile.