From 878d528944dd933642266bec826b22cabcd1f69b Mon Sep 17 00:00:00 2001 From: norareidy Date: Tue, 15 Jul 2025 16:31:30 -0400 Subject: [PATCH 1/2] DOCSP-51853: Update client certificate info --- source/connect/tls.txt | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/source/connect/tls.txt b/source/connect/tls.txt index fa2a7b4..0952e34 100644 --- a/source/connect/tls.txt +++ b/source/connect/tls.txt @@ -80,10 +80,10 @@ in the following ways: :manual:`SRV Connection Format ` in the {+mdb-server+} documentation. -.. _c-specify-ca-file: +.. _c-specify-client-cert: -Specify a CA File ------------------- +Specify a Client Certificate +---------------------------- When you connect to a MongoDB deployment with TLS enabled, the deployment will by default require the client to provide a client certificate issued by a certificate authority, or an authority @@ -91,7 +91,7 @@ trusted by the native certificate store in use on the server. You can provide the client certificate in the following ways: -- Setting the ``tlscertificatekeyfile`` parameter in your connection string to a ``.pem`` file containing the root certificate chain +- Setting the ``tlsCertificateKeyFile`` parameter in your connection string to a ``.pem`` file containing the root certificate chain - Using the ``mongoc_uri_set_option_as_utf8()`` function to set the ``MONGOC_URI_TLSCERTIFICATEKEYFILE`` option to a ``.pem`` file containing the root certificate chain @@ -115,12 +115,6 @@ You can provide the client certificate in the following ways: :end-before: end-connect-ca-file-uri :dedent: -.. note:: - - If you don't specify a CA file when compiling against the Windows Native TLS library, the driver - will use the Windows Certificate Store. To learn more, see the :ref:`c-native-tls` - section of this guide. - .. _c-certificate-revocation: Server Certificate Verification @@ -199,7 +193,7 @@ and will issue an error if used. Encrypted PEM files, set by using the ``tlsCertificateKeyPassword`` URI option, are also not supported and will result in error when attempting to load them. -When ``tlsCAFile`` is set, the driver will only allow server certificates issued by one or more authorities provided. +When ``tlsCAFile`` is set, the driver will import the file to the System Local Machine Root certificate store. When no ``tlsCAFile`` is set, the driver will look up the Certificate Authority using the ``System Local Machine Root`` certificate store to confirm the provided certificate. From 9e6191973af36f0bdd9673a58718a713697d5449 Mon Sep 17 00:00:00 2001 From: norareidy Date: Tue, 15 Jul 2025 16:35:27 -0400 Subject: [PATCH 2/2] edit --- source/connect/tls.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/connect/tls.txt b/source/connect/tls.txt index 0952e34..4814567 100644 --- a/source/connect/tls.txt +++ b/source/connect/tls.txt @@ -193,7 +193,7 @@ and will issue an error if used. Encrypted PEM files, set by using the ``tlsCertificateKeyPassword`` URI option, are also not supported and will result in error when attempting to load them. -When ``tlsCAFile`` is set, the driver will import the file to the System Local Machine Root certificate store. +When ``tlsCAFile`` is set, the driver will import the file to the ``System Local Machine Root`` certificate store. When no ``tlsCAFile`` is set, the driver will look up the Certificate Authority using the ``System Local Machine Root`` certificate store to confirm the provided certificate.