DOCSP-44856: x509 authentication fixes (#167)

norareidy · norareidy · commit 663f29fc3d6d · 2025-02-19T16:43:54.000-05:00
(cherry picked from commit fc77919)
diff --git a/source/fundamentals/authentication.txt b/source/fundamentals/authentication.txt
@@ -282,12 +282,22 @@ The ``MONGODB-X509`` authentication mechanism uses Transport Level Security (TLS
 with X.509 certificates to authenticate your user, which is identified
 by the relative distinguished names (RDNs) of your client certificate.
 
-When you specify this authentication mechanism, the server authenticates
-the connection by reading the following files:
+When specifying this authentication mechanism, you must provide the
+following files:
 
 - A certificate authority (CA) file, which contains one or more
-  certificate authorities to trust when making a TLS connection
-- A certificate key file, which references the client certificate private key
+  certificate authorities to trust when making a TLS connection.
+  Before connecting to the server, the driver uses this file to verify that the
+  server's certificate is from one of the specified certificate authorities.
+
+- A certificate key file, which contains the client certificate 
+  and private key. The driver presents this file to the server to
+  verify the client.
+
+.. tip::
+
+   To learn more about X.509 certificates, see
+   :manual:`x.509 </core/security-x.509/>` in the {+server+} manual.
 
 To specify the ``MONGODB-X509`` authentication mechanism, set the
 ``mechanism`` field of your ``Credential`` struct to
diff --git a/source/includes/fundamentals/code-snippets/auth.rs b/source/includes/fundamentals/code-snippets/auth.rs
@@ -74,13 +74,15 @@ async fn main() -> mongodb::error::Result<()> {
 
     // start-x509
     let uri = format!(
-        "mongodb://<hostname>:<port>/?tlsCAFile={tlsCAFile}&tlsCertificateKeyFile={tlsCertificateKeyFile}",
+        "mongodb://<hostname>:<port>/?tlsCAFile={tlsCAFile}\
+        &tlsCertificateKeyFile={tlsCertificateKeyFile}\
+        &tlsCertificateKeyFilePassword={tlsCertificateKeyFilePassword}",
         tlsCAFile = "<path to CA certificate>",
         tlsCertificateKeyFile = "<path to private client key>",
         tlsCertificateKeyFilePassword = "<password for client key>"
     );
     let mut client_options = ClientOptions::parse(uri).await?;
-    let x509_cred = Credential::builder().mechanism(AuthMechanism::MongoDbAws).build();
+    let x509_cred = Credential::builder().mechanism(AuthMechanism::MongoDbX509).build();
 
     client_options.credential = Some(x509_cred);
     let client = Client::with_options(client_options)?;
