Certificate Authorities(CAs) loaded into MongoDB processes are used to validate certificates presented by clients. Client certificates can be used to prove clients were granted a certificate before they connected, perform client authentication, or perform intra-cluster authentication, or perform authorization.

It would be useful to be able to restrict how certificates issued by a particular CA, or CAs it has delegated signing authority to, may be used. This could be done by adding a configuration option to MongoDB which would accept a mapping from CA Serial Numbers to the list of actions that the CA may be used for.