V3.4.18

source/includes/options-conf.yaml

@@ -539,7 +539,6 @@ description: |
 
    Enables or disables IPv6 support. :binary:`~bin.mongos` or
    :binary:`~bin.mongod` disables IPv6 support by default.
-
 ---
 program: conf
 name: net.http.JSONPEnabled
@@ -662,6 +661,19 @@ inherit:
   file: options-mongod.yaml
 ---
 program: conf
+name: net.ssl.clusterCAFile
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  cafile: ":setting:`net.ssl.CAFile`"
+inherit:
+  name: sslClusterCAFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
 name: net.ssl.CRLFile
 type: string
 directive: setting

source/includes/options-mongod.yaml

@@ -1373,6 +1373,35 @@ replacement:
   intro: "Specifies the"
 ---
 program: mongod
+name: sslClusterCAFile
+args: <filename>
+directive: option
+description: |
+
+  .. versionadded:: 3.4.18
+
+  {{intro}} :file:`.pem` file that contains the root certificate chain
+  from the Certificate Authority used to validate the certificate
+  presented by a client establishing a connection. Specify the file
+  name of the :file:`.pem` file using relative or absolute paths.
+
+  If {{role}} does not specify the :file:`.pem` file for validating the
+  certificate from a client establishing a connection, the cluster uses
+  the :file:`.pem` file specified in the {{cafile}} option.
+
+  {{role}} lets you use separate Certificate Authorities to verify the
+  client to server and server to client portions of the TLS handshake.
+
+  Requires that {{cafile}} is set.
+
+  .. include:: /includes/extracts/ssl-facts-see-more.rst
+
+optional: true
+replacement:
+  intro: "Specifies the"
+  cafile: ":option:`--sslCAFile`"
+---
+program: mongod
 name: sslCRLFile
 args: <filename>
 directive: option

source/includes/options-mongos.yaml

@@ -321,6 +321,13 @@ inherit:
   file: options-mongod.yaml
 ---
 program: mongos
+name: sslClusterCAFile
+inherit:
+  name: sslClusterCAFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: mongos
 name: sslCRLFile
 inherit:
   name: sslCRLFile

source/reference/configuration-options.txt

@@ -238,6 +238,7 @@ Core Options
          clusterFile: <string>
          clusterPassword: <string>
          CAFile: <string>
+         clusterCAFile: <string>
          CRLFile: <string>
          allowConnectionsWithoutCertificates: <boolean>
          allowInvalidCertificates: <boolean>
@@ -297,6 +298,9 @@ Core Options
 
 .. include:: /includes/option/setting-conf-net.http.RESTInterfaceEnabled.rst
 
+
+.. _net-ssl-conf-options:
+
 ``net.ssl`` Options
 ```````````````````
 
@@ -311,6 +315,7 @@ Core Options
          clusterFile: <string>
          clusterPassword: <string>
          CAFile: <string>
+         clusterCAFile: <string>
          CRLFile: <string>
          allowConnectionsWithoutCertificates: <boolean>
          allowInvalidCertificates: <boolean>
@@ -332,6 +337,8 @@ Core Options
 
 .. include:: /includes/option/setting-conf-net.ssl.CAFile.rst
 
+.. include:: /includes/option/setting-conf-net.ssl.clusterCAFile.rst
+
 .. include:: /includes/option/setting-conf-net.ssl.CRLFile.rst
 
 .. include:: /includes/option/setting-conf-net.ssl.allowConnectionsWithoutCertificates.rst

source/reference/parameters.txt

@@ -277,6 +277,29 @@ Authentication Parameters
 
       db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } )
 
+.. parameter:: sslWithholdClientCertificate
+
+   *Default*: false
+
+   .. versionadded:: 3.4.18
+
+   |both|
+
+   A TLS certificate is set for a :binary:`mongod <bin.mongod>` or
+   :binary:`mongos <bin.mongos>` either by the
+   :option:`--sslClusterFile <mongod --sslClusterFile>` option or by the
+   :option:`--sslPEMKeyFile <mongod --sslPEMKeyFile>` option when
+   :option:`--sslClusterFile <mongod --sslClusterFile>` is not set. If the TLS
+   certificate is set, by default, the instance sends the certificate when
+   initiating intra-cluster communications with other
+   :binary:`mongod <bin.mongod>` or :binary:`mongos <bin.mongos>` instances in
+   the deployment. Set ``sslWithholdClientCertificate`` to ``1`` or ``true`` to
+   direct the instance to withhold sending its TLS certificate during these
+   communications. Use this option with
+   :option:`--sslAllowConnectionsWithoutCertificates <mongod --sslAllowConnectionsWithoutCertificates>`
+   (to allow inbound connections without certificates) on all members of the
+   deployment. ``sslWithholdClientCertificate`` is mutually exclusive with
+   :option:`--clusterAuthMode x509 <mongod --clusterAuthMode>`.
 
 .. parameter:: userCacheInvalidationIntervalSecs
 

source/reference/program/mongod.txt

@@ -255,6 +255,7 @@ Sharded Cluster Options
 
 .. include:: /includes/option/option-mongod-noMoveParanoia.rst
 
+
 TLS/SSL Options
 ~~~~~~~~~~~~~~~
 
@@ -279,6 +280,8 @@ TLS/SSL Options
 
 .. include:: /includes/option/option-mongod-sslCAFile.rst
 
+.. include:: /includes/option/option-mongod-sslClusterCAFile.rst
+
 .. include:: /includes/option/option-mongod-sslCRLFile.rst
 
 .. include:: /includes/option/option-mongod-sslAllowInvalidCertificates.rst

source/reference/program/mongos.txt

@@ -119,6 +119,8 @@ TLS/SSL Options
 
 .. include:: /includes/option/option-mongos-sslCAFile.rst
 
+.. include:: /includes/option/option-mongos-sslClusterCAFile.rst
+
 .. include:: /includes/option/option-mongos-sslCRLFile.rst
 
 .. include:: /includes/option/option-mongos-sslAllowConnectionsWithoutCertificates.rst