DOCS-12092: clarify --kmipServerName and KMIP server certificate

kay-kim · kay-kim · commit 1741083ddbc4 · 2018-11-13T13:39:04.000-05:00
diff --git a/source/includes/options-mongod.yaml b/source/includes/options-mongod.yaml
@@ -2127,6 +2127,13 @@ description: |
    Hostname or IP address of key management solution running a KMIP
    server. Requires :setting:`enableEncryption` to be true.
 
+   When connecting to the KMIP server, the :binary:`~bin.mongod`
+   verifies that the specified {{role}} matches the ``SAN`` (or, if
+   ``SAN`` is not present, the ``CN``) in the certificate presented by
+   the KMIP server. If ``SAN`` is present, :binary:`~bin.mongod` does
+   not match against the ``CN``. If the hostname does not match the
+   ``SAN`` (or ``CN``), the :binary:`~bin.mongod` will fail to connect.
+
    .. include:: /includes/fact-enterprise-only-admonition.rst
 ---
 program: mongod
diff --git a/source/tutorial/configure-encryption.txt b/source/tutorial/configure-encryption.txt
@@ -86,15 +86,23 @@ To create a new key, connect :binary:`~bin.mongod` to the key manager by startin
 
 .. include:: /includes/extracts/default-bind-ip-security-additional-command-line.rst
 
+The following  operation creates a new master key in your key manager which
+:binary:`~bin.mongod` uses to encrypt the keys :binary:`~bin.mongod` generates
+for each database.
+
 .. code-block:: sh
 
    mongod --enableEncryption --kmipServerName <KMIP Server HostName> \
      --kmipPort <KMIP server port> --kmipServerCAFile ca.pem \
      --kmipClientCertificateFile client.pem
 
-This operation creates a new master key in your key manager which
-:binary:`~bin.mongod` uses to encrypt the keys :binary:`~bin.mongod` generates
-for each database.
+When connecting to the KMIP server, the :binary:`~bin.mongod` verifies
+that the specified :option:`--kmipServerName <mongod --kmipServerName>`
+matches the ``SAN`` (or, if ``SAN`` is not present, the ``CN``) in the
+certificate presented by the KMIP server. If ``SAN`` is present,
+:binary:`~bin.mongod` does not match against the ``CN``. If the
+hostname does not match the ``SAN`` (or ``CN``), the
+:binary:`~bin.mongod` will fail to connect.
 
 To verify that the key creation and usage was successful, check the log
 file. If successful, the process will log the following messages:
