diff --git a/source/fundamentals/authentication.txt b/source/fundamentals/authentication.txt index fdcbb4a1..9ebabc38 100644 --- a/source/fundamentals/authentication.txt +++ b/source/fundamentals/authentication.txt @@ -282,12 +282,22 @@ The ``MONGODB-X509`` authentication mechanism uses Transport Level Security (TLS with X.509 certificates to authenticate your user, which is identified by the relative distinguished names (RDNs) of your client certificate. -When you specify this authentication mechanism, the server authenticates -the connection by reading the following files: +When specifying this authentication mechanism, you must provide the +following files: - A certificate authority (CA) file, which contains one or more - certificate authorities to trust when making a TLS connection -- A certificate key file, which references the client certificate private key + certificate authorities to trust when making a TLS connection. + Before connecting to the server, the driver uses this file to verify that the + server's certificate is from one of the specified certificate authorities. + +- A certificate key file, which contains the client certificate + and private key. The driver presents this file to the server to + verify the client. + +.. tip:: + + To learn more about X.509 certificates, see + :manual:`x.509 ` in the {+server+} manual. To specify the ``MONGODB-X509`` authentication mechanism, set the ``mechanism`` field of your ``Credential`` struct to diff --git a/source/includes/fundamentals/code-snippets/auth.rs b/source/includes/fundamentals/code-snippets/auth.rs index da701da9..824fdfc5 100644 --- a/source/includes/fundamentals/code-snippets/auth.rs +++ b/source/includes/fundamentals/code-snippets/auth.rs @@ -74,13 +74,15 @@ async fn main() -> mongodb::error::Result<()> { // start-x509 let uri = format!( - "mongodb://:/?tlsCAFile={tlsCAFile}&tlsCertificateKeyFile={tlsCertificateKeyFile}", + "mongodb://:/?tlsCAFile={tlsCAFile}\ + &tlsCertificateKeyFile={tlsCertificateKeyFile}\ + &tlsCertificateKeyFilePassword={tlsCertificateKeyFilePassword}", tlsCAFile = "", tlsCertificateKeyFile = "", tlsCertificateKeyFilePassword = "" ); let mut client_options = ClientOptions::parse(uri).await?; - let x509_cred = Credential::builder().mechanism(AuthMechanism::MongoDbAws).build(); + let x509_cred = Credential::builder().mechanism(AuthMechanism::MongoDbX509).build(); client_options.credential = Some(x509_cred); let client = Client::with_options(client_options)?;