Skip to content

Commit 47c74c2

Browse files
author
Dave Cuthbert
authored
DOCSP-26944 BACKPORT (#2250)
* DOCSP-26944 BACKPORT * Build errors * Build errors * Build errors
1 parent 95c7648 commit 47c74c2

File tree

1 file changed

+44
-36
lines changed

1 file changed

+44
-36
lines changed

source/tutorial/configure-ssl-clients.txt

Lines changed: 44 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -185,27 +185,34 @@ following options:
185185

186186
mongo --tls --host hostname.example.com --tlsCertificateKeyFile /etc/ssl/client.pem --tlsCAFile /etc/ssl/caToValidateServerCertificates.pem
187187

188-
On Windows and macOS,
189-
You can also use the :option:`--tlsCertificateSelector <mongo
190-
--tlsCertificateSelector>` option to specify the client certificate
191-
from the system certificate store instead of using
192-
:option:`--tlsCertificateKeyFile <mongo
193-
--tlsCertificateKeyFile>`. If the CA file is also in the system
194-
certificate store, you can omit the :option:`--tlsCAFile <mongo
195-
--tlsCAFile>` option as well. For example, to use a certificate
196-
with the ``CN`` (Common Name) of ``myclient.example.net`` and the CA
197-
file from the system certificate store on macOS, start a
198-
:binary:`~bin.mongo` shell with the following options:
199-
200-
.. code-block:: bash
201-
202-
mongo --tls --host hostname.example.com --tlsCertificateSelector subject="myclient.example.net"
203-
204-
Although still available, the :binary:`~bin.mongo` shell
205-
:option:`--ssl <mongo --ssl>`, :option:`--sslCAFile <mongo
206-
--sslCAFile>`, :option:`--sslPEMKeyFile <mongo --sslPEMKeyFile>`,
207-
:option:`--sslCertificateSelector <mongo --sslCertificateSelector>`
208-
are :ref:`deprecated as of MongoDB 4.2 <4.2-tls>`.
188+
Windows and macOS
189+
`````````````````
190+
191+
To specify a client certificate from the system certificate store, use
192+
the :option:`--tlsCertificateSelector <mongo
193+
--tlsCertificateSelector>` option instead of
194+
:option:`--tlsCertificateKeyFile <mongo
195+
--tlsCertificateKeyFile>`.
196+
197+
If the CA file is also in the system certificate store, you can omit the
198+
:option:`--tlsCAFile <mongo --tlsCAFile>` option.
199+
200+
For example, if a certificate with the ``CN`` (Common Name) of
201+
``myclient.example.net`` and the accompanying CA file are both in the
202+
macOS system certificate store, you can connect like this:
203+
204+
.. code-block:: bash
205+
206+
mongo --tls --host hostname.example.com --tlsCertificateSelector subject="myclient.example.net"
207+
208+
These options are :ref:`deprecated starting in MongoDB 4.2 <4.2-tls>`:
209+
210+
- ``--ssl``
211+
- ``--sslCAFile``
212+
- ``--sslPEMKeyFile``
213+
- ``--sslCertificateSelector``
214+
215+
If possible, you should use the ``tls`` alternatives instead.
209216

210217
Avoid Use of ``--tlsAllowInvalidCertificates`` Option
211218
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -366,21 +373,22 @@ following options:
366373

367374
mongo --ssl --host hostname.example.com --sslPEMKeyFile /etc/ssl/client.pem --sslCAFile /etc/ssl/ca.pem
368375

369-
On Windows and macOS,
370-
You can also use the :option:`--sslCertificateSelector <mongo
371-
--sslCertificateSelector>` option to specify the client certificate
372-
from the system certificate store instead of using
373-
:option:`--sslPEMKeyFile <mongo --sslPEMKeyFile>`. If the CA file
374-
is also in the system certificate store, you can omit the
375-
:option:`--sslCAFile <mongo --sslCAFile>` option as well. For
376-
example, to use a certificate with the ``CN`` (Common Name) of
377-
``myclient.example.net`` and the CA file from the system certificate
378-
store on macOS, start a :binary:`~bin.mongo` shell with the
379-
following options:
380-
381-
.. code-block:: bash
382-
383-
mongo --ssl --host hostname.example.com --sslCertificateSelector subject=myclient.example.net
376+
On Windows and macOS
377+
````````````````````
378+
379+
You can also use the ``--sslCertificateSelector`` option to specify the
380+
client certificate from the system certificate store instead of using
381+
``--sslPEMKeyFile``. If the CA file is also in the system certificate
382+
store, you can omit the ``--sslCAFile`` option.
383+
384+
For example, to use a certificate with the ``CN`` (Common Name) of
385+
``myclient.example.net`` and the CA file from the system certificate
386+
store on macOS, start :binary:`~bin.mongo` with the following
387+
options:
388+
389+
.. code-block:: bash
390+
391+
mongo --ssl --host hostname.example.com --sslCertificateSelector subject=myclient.example.net
384392

385393
Avoid Use of ``--sslAllowInvalidCertificates`` Option
386394
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0 commit comments

Comments
 (0)