@@ -173,6 +173,222 @@ replica set member:
173173 and cannot trigger elections.
174174 - yes
175175
176+ * - ``tls.CAFile``
177+ - string
178+ - ``.pem`` file that contains the root certificate chain from the
179+ Certificate Authority. Specify the file name of the ``.pem`` file
180+ using relative or absolute paths.
181+
182+ This setting corresponds to the :manual:`net.tls.CAFile
183+ </reference/configuration-options/#net.tls.CAFile>` |mongod|
184+ replica set configuration option.
185+ - no
186+
187+ * - ``tls.certificateKeyFile``
188+ - string
189+ - ``.pem`` file that contains both the TLS certificate and key.
190+
191+ ``tls.certificateKeyFile`` and ``tls.certificateSelector`` are
192+ mutually exclusive. You can only specify one.
193+
194+ This setting corresponds to the :manual:`net.tls.certificateKeyFile
195+ </reference/configuration-options/#net.tls.certificateKeyFile>`
196+ |mongod| replica set configuration option.
197+ - no
198+
199+ * - ``tls.certificateKeyFilePassword``
200+ - string
201+ - Password to de-crypt the certificate-key file.
202+
203+ Use the ``tls.certificateKeyFilePassword`` option only if the
204+ certificate-key file is encrypted. In all cases, the |mongos| or
205+ |mongod| will redact the password from all logging and reporting
206+ output.
207+
208+ This setting corresponds to the
209+ :manual:`net.tls.certificateKeyFilePassword
210+ </reference/configuration-options/#net.tls.certificateKeyFilePassword>`
211+ |mongod| replica set configuration option.
212+ - no
213+
214+ * - ``tls.certificateSelector``
215+ - string
216+ - Certificate property that the {+mdbagent+} uses to select a
217+ matching certificate from the operating system’s certificate
218+ store to use for TLS/SSL.
219+
220+ {+mcli+} accepts one of the following key-value mappings as an
221+ argument of ``tls.certificateSelector``:
222+
223+ .. list-table::
224+ :header-rows: 1
225+
226+ * - Key
227+ - Value type
228+ - Description
229+ * - ``subject``
230+ - ASCII string
231+ - The subject name or common name on the certificate.
232+ * - ``thumbprint``
233+ - hex string
234+ - A sequence of bytes, expressed as hexadecimal, used to
235+ identify a public key by its SHA-1 digest.
236+
237+ The ``thumbprint`` is sometimes referred to as a
238+ ``fingerprint``.
239+
240+ ``tls.certificateKeyFile`` and ``tls.certificateSelector`` are
241+ mutually exclusive. You can only specify one.
242+
243+ This setting corresponds to the
244+ :manual:`net.tls.certificateSelector
245+ </reference/configuration-options/#net.tls.certificateSelector>`
246+ |mongod| replica set configuration option.
247+ - no
248+
249+ * - ``tls.clusterCertificateSelector``
250+ - string
251+ - Certificate property that the {+mdbagent+} uses to select a
252+ matching certificate from the operating system’s certificate
253+ store to use for :manual:`internal x.509 membership
254+ authentication
255+ </core/security-internal-authentication/#internal-auth-x509>`.
256+
257+ {+mcli+} accepts one of the following key-value mappings as an
258+ argument of ``tls.clusterCertificateSelector``:
259+
260+ .. list-table::
261+ :header-rows: 1
262+
263+ * - Key
264+ - Value type
265+ - Description
266+ * - ``subject``
267+ - ASCII string
268+ - The subject name or common name on the certificate.
269+ * - ``thumbprint``
270+ - hex string
271+ - A sequence of bytes, expressed as hexadecimal, used to
272+ identify a public key by its SHA-1 digest.
273+
274+ The ``thumbprint`` is sometimes referred to as a
275+ ``fingerprint``.
276+
277+ ``tls.clusterCertificateSelector`` and ``tls.clusterFile`` are
278+ mutually exclusive. You can only specify one.
279+
280+ This setting corresponds to the
281+ :manual:`net.tls.clustercertificateSelector
282+ </reference/configuration-options/#net.tls.clustercertificateSelector>`
283+ |mongod| replica set configuration option.
284+ - no
285+
286+ * - ``tls.clusterFile``
287+ - string
288+ - ``.pem`` file that contains the x.509 certificate-key file for
289+ :manual:`membership authentication
290+ </tutorial/configure-x509-member-authentication/#x509-internal-authentication>`
291+ for the cluster or replica set.
292+
293+ ``tls.clusterCertificateSelector`` and ``tls.clusterFile`` are
294+ mutually exclusive. You can only specify one.
295+
296+ This setting corresponds to the :manual:`net.tls.clusterFile
297+ </reference/configuration-options/#net.tls.clusterFile>`
298+ |mongod| replica set configuration option.
299+ - no
300+
301+ * - ``tls.clusterPassword``
302+ - string
303+ - The password to de-crypt the x.509 certificate-key file specified
304+ with ``tls.clusterFile``.
305+
306+ Use the ``tls.clusterPassword`` option only if the certificate-key
307+ file is encrypted. In all cases, the |mongos| or |mongod| will
308+ redact the password from all logging and reporting output.
309+
310+ This setting corresponds to the :manual:`net.tls.clusterPassword
311+ </reference/configuration-options/#net.tls.clusterPassword>`
312+ |mongod| replica set configuration option.
313+ - no
314+
315+ * - ``tls.CRLFile``
316+ - string
317+ - The ``.pem`` file that contains the Certificate Revocation List.
318+ Specify the file name of the ``.pem`` file using relative or
319+ absolute paths.
320+
321+ This setting corresponds to the :manual:`net.tls.CRLFile
322+ </reference/configuration-options/#net.tls.CRLFile>`
323+ |mongod| replica set configuration option.
324+ - no
325+
326+ * - ``tls.disabledProtocols``
327+ - string
328+ - Protocols or versions over which a MongoDB server running with
329+ TLS refuses incoming connections.
330+
331+ This setting corresponds to the :manual:`net.tls.disabledProtocols
332+ </reference/configuration-options/#net.tls.disabledProtocols>`
333+ |mongod| replica set configuration option.
334+ - no
335+
336+ * - ``tls.FIPSMode``
337+ - string
338+ - Enable or disable the use of the FIPS mode of the TLS library for
339+ the |mongos| or |mongod|. Your system must have a FIPS compliant
340+ library to use this option.
341+
342+ This setting corresponds to the :manual:`net.tls.FIPSMode
343+ </reference/configuration-options/#net.tls.FIPSMode>`
344+ |mongod| replica set configuration option.
345+ - no
346+
347+ * - ``tls.mode``
348+ - string
349+ - Enables TLS for all network connections. {+mcli+} accepts the
350+ following arguments for this setting:
351+
352+ .. list-table::
353+ :header-rows: 1
354+ :widths: 20 40
355+
356+ * - Value
357+ - Description
358+
359+ * - ``disabled``
360+ - The server does not use tls.
361+
362+ * - ``allowTLS``
363+ - Connections between servers do not use tls. For incoming
364+ connections, the server accepts both TLS and non-tls.
365+
366+ * - ``preferTLS``
367+ - Connections between servers use tls. For incoming
368+ connections, the server accepts both TLS and non-tls.
369+
370+ * - ``requireTLS``
371+ - The server uses and accepts only TLS encrypted connections.
372+
373+ This setting corresponds to the :manual:`net.tls.mode
374+ </reference/configuration-options/#net.tls.mode>`
375+ |mongod| replica set configuration option.
376+ - no
377+
378+ * - ``tls.PEMKeyFile``
379+ - string
380+ - ``.pem`` file that contains both the TLS certificate and key.
381+
382+ .. important::
383+
384+ This setting is deprecated. Use ``tls.certificateKeyFile``
385+ instead.
386+
387+ This setting corresponds to the :manual:`net.ssl.PEMKeyFile
388+ </reference/configuration-options/#net.ssl.PEMKeyFile>`
389+ |mongod| replica set configuration option.
390+ - no
391+
176392 * - ``votes``
177393 - integer
178394 - Number that indicates whether the replica set member
0 commit comments