[DOCS-11993] --sslCAFile is only required if you want to use client certificates Created: 23/Aug/18  Updated: 30/Oct/23

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Improvement Priority: Major - P3
Reporter: Jonathan Reams Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 1 year, 14 weeks, 2 days ago
Epic Link: DOCSP-1769

 Description   

----------------------------

Original Description

I've had to answer a few HELP tickets and mongodb-user emails about setting up TLS on mongod without using client certificates - e.g. you just want TLS like it works on the internet. If the -sslPEMKeyFile contains the full certificate chain, you shouldn't have to specify sslCAFile at all, mongod will load all the certificates in the file and build the CA chain that way. In fact, sslCAFile really means, "use this CA file to validate client connections". For simple deployments with normal TLS certificates issued by a commercial trusted CA, you shouldn't have to specify -sslCAFile anywhere.

For an example of where this gets confusing, you can see this user group posting: https://groups.google.com/d/msgid/mongodb-user/648dde1f-79ef-4056-85a4-7eaa2fcf8178%40googlegroups.com or HELP-7377
----------------------------

Description

Clarify the behavior and purpose of the --sslCAFile parameter of mongo.

[Link to --sslCAFile Definition

Currently we note that the parameter points to the root CA certificate chain, but we don't describe the purpose/use case of the parameter.

We should:

  1. Add a description of what --sslCAFile should be used for
    • "use this CA file to validate client connections"
  2. Note that --sslCAFile is only required if you want to use client certificates
  3. Note that --sslCAFile is only required if the full CA certificate chain is not included in the file specified by -sslPEMKeyFile.

Scope of changes (files that need work and how much)

Impact to other docs outside of this product

MVP (work and date?)

Resources (e.g. Scope Docs, Invision)



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Generated at Thu Feb 08 08:04:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.