in my studio environment I have a replicaset with mongodb 4.2.8 community edition. When I configure RS members to work with internal authentication, I must necessarily define 2 certificates: CAFile and certificateKeyFile. It is not possible to insert only clusterFile, in fact if it is not present
certificateKeyFile I get this error when mongod starts:
“Failed global initialization: BadValue: need tlsCertificateKeyFile or certificateSelector when TLS is enabled”.
clusterFile is optional and if it is not present, mongodb uses certicateKeyFile.
On the certificateKeyFile certificate, mongod verifies the subject; on the clusterFile certificate instead, there is no verification on the subject and I can put any certificate signed by the CA, even of other members, it can be the same for all members or not, and everything works correctly
(I created a certificate with a CN equal to the name of the replica set, and I distributed it on the members and it works).
I therefore miss the meaning of the clusterFile certificate.
In the Mongodb documentation, its meaning is described like this:
security: clusterAuthMode: x509 net: tls: mode: requireTLS certificateKeyFile: <path to its TLS / SSL certificate and key file> CAFile: clusterFile: bindIp: localhost, <hostname (s) | ip address (es)>
But if no check is carried out on the subject of the certificate, what verification is carried out on membership authentication? What certification obligation does clusterFile take me to?