diff --git a/source/connect/tls.txt b/source/connect/tls.txt index fa2a7b4..4814567 100644 --- a/source/connect/tls.txt +++ b/source/connect/tls.txt @@ -80,10 +80,10 @@ in the following ways: :manual:`SRV Connection Format ` in the {+mdb-server+} documentation. -.. _c-specify-ca-file: +.. _c-specify-client-cert: -Specify a CA File ------------------- +Specify a Client Certificate +---------------------------- When you connect to a MongoDB deployment with TLS enabled, the deployment will by default require the client to provide a client certificate issued by a certificate authority, or an authority @@ -91,7 +91,7 @@ trusted by the native certificate store in use on the server. You can provide the client certificate in the following ways: -- Setting the ``tlscertificatekeyfile`` parameter in your connection string to a ``.pem`` file containing the root certificate chain +- Setting the ``tlsCertificateKeyFile`` parameter in your connection string to a ``.pem`` file containing the root certificate chain - Using the ``mongoc_uri_set_option_as_utf8()`` function to set the ``MONGOC_URI_TLSCERTIFICATEKEYFILE`` option to a ``.pem`` file containing the root certificate chain @@ -115,12 +115,6 @@ You can provide the client certificate in the following ways: :end-before: end-connect-ca-file-uri :dedent: -.. note:: - - If you don't specify a CA file when compiling against the Windows Native TLS library, the driver - will use the Windows Certificate Store. To learn more, see the :ref:`c-native-tls` - section of this guide. - .. _c-certificate-revocation: Server Certificate Verification @@ -199,7 +193,7 @@ and will issue an error if used. Encrypted PEM files, set by using the ``tlsCertificateKeyPassword`` URI option, are also not supported and will result in error when attempting to load them. -When ``tlsCAFile`` is set, the driver will only allow server certificates issued by one or more authorities provided. +When ``tlsCAFile`` is set, the driver will import the file to the ``System Local Machine Root`` certificate store. When no ``tlsCAFile`` is set, the driver will look up the Certificate Authority using the ``System Local Machine Root`` certificate store to confirm the provided certificate.