Details
Description
The current MongoDB parameter sslCAFile is used for both:
1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.
Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.
Attachments
Issue Links
- is documented by
-
DOCS-12022 Docs for SERVER-35418: Allow specifying CAs for incoming and outgoing connections separately
-
- Closed
-
- is related to
-
DOCS-14153 Consider removing the recommendation to use a single CA for X.509
-
- Closed
-
- related to
-
SERVER-57716 Partial certificate chain in PEM causes validation failure in OCSP
-
- Closed
-