mongodb · kay-kim · Sep 12, 2018 · Sep 7, 2018
diff --git a/source/includes/extracts-tls-facts.yaml b/source/includes/extracts-tls-facts.yaml
@@ -0,0 +1,107 @@
+ref: tls-facts-x509-invalid-certificate
+content: |
+
+   If you specify
+   ``--tlsAllowInvalidCertificates`` or ``tls.allowInvalidCertificates:
+   true`` when using x.509 authentication, an invalid certificate is
+   only sufficient to establish a TLS connection but is
+   *insufficient* for authentication.
+
+---
+# This is separate from the mongo shell ca file extract since the version is different.
+ref: tls-facts-ca-file
+content: |
+
+   If ``--tlsCAFile`` or ``tls.CAFile`` is not
+   specified and you are not using x.509 authentication, the
+   system-wide CA certificate store will be used when connecting to an
+   TLS-enabled server.
+
+   .. include:: /includes/extracts/tls-facts-x509-ca-file.rst
+
+---
+ref: tls-facts-x509-ca-file
+content: |
+
+   If using x.509 authentication, ``--tlsCAFile`` or ``tls.CAFile``
+   must be specified unless using :option:`--tlsCertificateSelector <mongod --tlsCertificateSelector>`.
+
+---
+ref: tls-facts-see-more
+content: |
+   For more information about TLS and MongoDB, see
+   :doc:`/tutorial/configure-ssl` and
+   :doc:`/tutorial/configure-ssl-clients` .
+---
+# This is separate from the mongod/mongos ca file extract since the version is different.
+ref: tls-facts-mongo-shell-ca
+content: |
+
+   If ``--tlsCAFile`` or ``tls.CAFile`` is
+   not specified, the system-wide CA certificate store will be used
+   when connecting to an TLS-enabled server. In previous versions
+   of MongoDB, the :binary:`~bin.mongo` shell exited with an error that
+   it could not validate the certificate.
+
+   .. include:: /includes/extracts/tls-facts-x509-ca-file.rst
+---
+ref: tls-facts-invalid-cert-warning-clients
+content: |
+
+   .. warning::
+
+      For TLS connections to :binary:`~bin.mongod` and
+      :binary:`~bin.mongos`, avoid using
+      ``--tlsAllowInvalidCertificates`` if possible and only use
+      ``--tlsAllowInvalidCertificates`` on systems where intrusion is
+      not possible.
+
+      If the :binary:`~bin.mongo` shell (and other
+      :ref:`mongodb-tools-support-tls`) runs with the
+      ``--tlsAllowInvalidCertificates`` option, the
+      :binary:`~bin.mongo` shell (and other
+      :ref:`mongodb-tools-support-tls`) will not attempt to validate
+      the server certificates. This creates a vulnerability to expired
+      :binary:`~bin.mongod` and :binary:`~bin.mongos` certificates as
+      well as to foreign processes posing as valid
+      :binary:`~bin.mongod` or :binary:`~bin.mongos` instances.
+      If you only need to disable the validation of the hostname in
+      the TLS certificates, see ``--tlsAllowInvalidHostnames``.
+
+---
+ref: tls-facts-mongo-tls-options-configure
+content: |
+
+   To connect to a :binary:`~bin.mongod` or :binary:`~bin.mongos` that
+   uses TLS, you must also specify the ``--host`` option for the
+   :binary:`~bin.mongo` shell if you haven't specified a connect
+   string. The :binary:`~bin.mongo` shell verifies that the hostname of
+   the :binary:`~bin.mongod` or :binary:`~bin.mongos` matches the CN or
+   SAN of ``--tlsPEMKeyFile`` certificate presented by the
+   :binary:`~bin.mongod` or :binary:`~bin.mongos`. If the hostname does
+   not match the CN/SAN, :binary:`~bin.mongo` will fail to connect.   
+---
+ref: tls-facts-certificate-selector-properties
+content: |
+
+    .. list-table::
+       :header-rows: 1
+
+       * - Property
+         - Value type
+         - Description
+
+       * - ``subject``
+         - ASCII string
+         - Subject name or common name on certificate
+
+       * - ``thumbprint``
+         - hex string
+
+         - A sequence of bytes, expressed as hexadecimal, used to
+           identify a public key by its SHA-1 digest.
+
+           The ``thumbprint`` is sometimes referred to as a
+           ``fingerprint``.
+
+...