I have MongoDB clusters configured with two separate certificates - one for the cluster communication and one for communication from clients. I use two different certificate authorities for these.
For the cluster, I am using the options clusterFile and clusterCAFile.
And for the client connections, certificateKeyFile and CAFile.
Now I am adding authentication for clients using certificates and adding their certificate subject in the $external database. However, I’m running into an issue. I know that the Mongo docs state that the same CA must be used for the client and server, but I assumed that would be the CAFile certificate authority, since its the one used for client connections.
But I cannot get Mongo to accept certificates signed by the CAFile. After a lot of troubleshooting I discovered that it will accept client certificates signed by the clusterCAFile. Is that expected? Is there a way to have MongoDB validate client certs against the other CA?
The parameter names clusterFile and clusterCAFile are a bit misleading. They are not used to separate cluster and client connections!
They are used to separate outgoing and incoming connections.
The clusterCAFile certificate is used to validate client certificate, i.e. the certificate which is provided at incoming connection. It does not matter if these incoming connections are issued by an internal cluster member or by a “normal” client application.
The CAFile certificate is used to validate the server certificate.
Maybe for better understanding:
If you set both CAFile and clusterCAFile on a stand-alone MongoDB deployment (which does not make much sense, but you can do so) the CAFile is not used, because a stand-alone mongod never establish a connection to any other server.