@@ -57,87 +57,16 @@ ref: x509-certificate-member
5757content : |
5858
5959 Use member certificates to verify membership to a sharded
60- cluster or a replica set. Member certificates are stored in
61- :setting:`net.tls.clusterFile` and :setting:`net.tls.certificateKeyFile`.
62- Member certificate requirements:
60+ cluster or a replica set. Member certificate file paths are
61+ configured with the :setting:`net.tls.clusterFile` and
62+ :setting:`net.tls.certificateKeyFile` options. Members have the
63+ following configuration requirements:
6364
64- - A single Certificate Authority (CA) must issue all x.509
65- certificates for the members of a sharded cluster or a replica set.
66-
67- - The x.509 certificate must *not* be expired.
68-
69- .. note::
70-
71- .. include:: /includes/extracts/4.4-changes-certificate-expiry-warning.rst
72-
73- - The Distinguished Name (``DN``), found in the member certificate's
74- ``subject``, must specify a non-empty value for *at least one* of
75- the following attributes:
76-
77- - the Organization (``O``)
78- - the Organizational Unit (``OU``)
79- - the Domain Component (``DC``)
80-
81- - Each cluster member certificate must have identical ``O``\s, ``OU``\s,
82- and ``DC``\s in their :setting:`net.tls.clusterFile` and
83- :setting:`net.tls.certificateKeyFile` certificates. This also applies to
84- the :parameter:`tlsX509ClusterAuthDNOverride` value, if set. Attribute
85- order doesn't matter.
86-
87- Here's an example. The two ``DN``\s below have matching
88- specifications for ``O`` and ``OU``, and ``DC`` is not specified.
89-
90- .. code-block:: none
91-
92- CN=host1,OU=Dept1,O=MongoDB,ST=NY,C=US
93- C=US, ST=CA, O=MongoDB, OU=Dept1, CN=host2
94-
95- The following example is incorrect, because the ``DN``\s don't match. One
96- ``DN`` has two ``OU`` specifications and the other has only one ``OU``
97- specification.
98-
99- .. code-block:: none
100-
101- CN=host1,OU=Dept1,OU=Sales,O=MongoDB
102- CN=host2,OU=Dept1,O=MongoDB
103-
104- You can also specify a custom set of DN attributes and values in the configuration file using the
105- :setting:`net.tls.clusterAuthX509.attributes` setting. This is useful
106- when you wish to configure X.509 authentication with member certificates that do not have DC, O, or OU attributes in their subject DNs.
107-
108- For more information, see :ref:`x509-rotate-member-certs`.
109-
110- - Either the Common Name (``CN``) or one of the Subject Alternative
111- Name (``SAN``) entries must match the server hostname for other cluster
112- members. Starting in MongoDB 4.2, when comparing ``SAN``\s, MongoDB can
113- compare either DNS names or IP addresses. In previous versions, MongoDB
114- only compares DNS names.
115-
116- For example, the certificates for a cluster could have the
117- following ``subject``\s:
118-
119- .. code-block:: bash
120-
121- subject= CN=<myhostname1>,OU=Dept1,O=MongoDB,ST=NY,C=US
122- subject= CN=<myhostname2>,OU=Dept1,O=MongoDB,ST=NY,C=US
123- subject= CN=<myhostname3>,OU=Dept1,O=MongoDB,ST=NY,C=US
124-
125- - If the certificate used as the ``certificateKeyFile`` includes
126- ``extendedKeyUsage``, the value must include both
127- ``clientAuth`` ("TLS Web Client Authentication") and ``serverAuth``
128- ("TLS Web Server Authentication").
129-
130- .. code-block:: none
131-
132- extendedKeyUsage = clientAuth, serverAuth
133-
134- - If the certificate used as the ``clusterFile`` includes
135- ``extendedKeyUsage``, the value must include ``clientAuth``.
136-
137- .. code-block:: none
138-
139- extendedKeyUsage = clientAuth
65+ .. include:: /includes/list-cluster-x509-requirements.rst
14066
67+ The certificates have the following requirements:
68+
69+ .. include:: /includes/list-tls-certificate-requirements.rst
14170
14271
14372ref : x509-member-auth-configuration
0 commit comments