Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11993

--sslCAFile is only required if you want to use client certificates

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Won't Do
    • Icon: Major - P3 Major - P3
    • Server_Docs_20231030
    • None
    • manual
    • None

    Description

      ----------------------------

      Original Description

      I've had to answer a few HELP tickets and mongodb-user emails about setting up TLS on mongod without using client certificates - e.g. you just want TLS like it works on the internet. If the -sslPEMKeyFile contains the full certificate chain, you shouldn't have to specify sslCAFile at all, mongod will load all the certificates in the file and build the CA chain that way. In fact, sslCAFile really means, "use this CA file to validate client connections". For simple deployments with normal TLS certificates issued by a commercial trusted CA, you shouldn't have to specify -sslCAFile anywhere.

      For an example of where this gets confusing, you can see this user group posting: https://groups.google.com/d/msgid/mongodb-user/648dde1f-79ef-4056-85a4-7eaa2fcf8178%40googlegroups.com or HELP-7377
      ----------------------------

      Description

      Clarify the behavior and purpose of the --sslCAFile parameter of mongo.

      [Link to --sslCAFile Definition

      Currently we note that the parameter points to the root CA certificate chain, but we don't describe the purpose/use case of the parameter.

      We should:

      1. Add a description of what --sslCAFile should be used for
        • "use this CA file to validate client connections"
      2. Note that --sslCAFile is only required if you want to use client certificates
      3. Note that --sslCAFile is only required if the full CA certificate chain is not included in the file specified by -sslPEMKeyFile.

      Scope of changes (files that need work and how much)

      Impact to other docs outside of this product

      MVP (work and date?)

      Resources (e.g. Scope Docs, Invision)

      Attachments

        Activity

          People

            Unassigned Unassigned
            jonathan.reams@mongodb.com Jonathan Reams
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              1 year, 14 weeks, 2 days ago