Docs-14584 add 509 certificate warning (#268)

ianf-mongodb · web-flow · commit 0bf7e12e8486 · 2022-01-11T10:33:39.000-05:00
* Docs-14584 add 509 certificate warning * DOCS-14584 init * update include verbiage * names -> name * Addressing Jason Edits #1 * Glossary update * ** * *** * Change glossary link * Use term decorator for Subject Alternative Name * Remove extra line in glossary.txt * Address Sergey comments #1 * Added ref to mongod and mongos * correct 5.0 release notes placement * Updated starting in MongoDB 5.0 * update fact-5.0-x509 ref to fact-x509... * add blank line to security-x.509.txt * update starting in version
diff --git a/source/core/security-x.509.txt b/source/core/security-x.509.txt
@@ -102,6 +102,11 @@ You can also make the TLS/SSL connection first, and then use
 For examples of both cases, see the :ref:`authenticate-with-x509-cert`
 section in :doc:`/tutorial/configure-x509-client-authentication`
 
+TLS Connection X509 Certificate Startup Warning
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-x509-certificate-client-warning.rst
+
 Member x.509 Certificates
 --------------------------
 
diff --git a/source/includes/fact-x509-certificate-client-warning.rst b/source/includes/fact-x509-certificate-client-warning.rst
@@ -0,0 +1,15 @@
+Starting in MongoDB 4.4.7, :binary:`mongod` and :binary:`mongos` now 
+issue a startup warning when their certificates do not include a 
+:term:`Subject Alternative Name` attribute.
+
+The following platforms do not support common name validation:
+
+- iOS 13 and higher
+- MacOS 10.15 and higher
+- Go 1.15 and higher
+
+Clients using these platforms will not
+:ref:`authenticate <x509-client-authentication>` to 
+MongoDB servers which use X.509 certificate whose hostnames are 
+:ref:`specified by CommonName attributes 
+<KMIP-subject-alternative-name-CN>`.
diff --git a/source/reference/glossary.txt b/source/reference/glossary.txt
@@ -936,6 +936,12 @@ Glossary
       always reflect the latest changes to the system. In a database
       system, this means that any system that can provide data must
       reflect the latest writes at all times.
+   
+   Subject Alternative Name
+      Subject Alternative Name (SAN) is an extension of the X.509 
+      certificate which allows an array of values such as IP addresses 
+      and domain names that specify which resources a single security 
+      certificate may secure.
 
    sync
       The :term:`replica set` operation where members replicate data
diff --git a/source/reference/program/mongod.txt b/source/reference/program/mongod.txt
@@ -3278,6 +3278,8 @@ Encryption Key Management Options
    which it can successfully establish a connection. KMIP server
    selection occurs only at startup.
 
+   .. _KMIP-subject-alternative-name-CN:
+
    When connecting to a KMIP server, the :binary:`~bin.mongod`
    verifies that the specified :option:`--kmipServerName` matches the
    Subject Alternative Name ``SAN`` (or, if ``SAN`` is not present, the
