Correction on CH1, x509

I’m watching the video linked below.

Around 01:35 @kirbyk remarks that “we use --caFile so we can know the client is who they say they are.”

That is absolutely not what that param does.

By specifying the CA’s certificate we tell the MongoD which Certificate Authority it can trust. So MongoD will accept all certificates published by said CA as gospel.

So the end effect is what Kirby says: as long as the client’s cert was signed by the CA, and the CA’s cert is trusted, the MongoD will accept the client’s cert as proof of its identity. But the current statement is a over-simplification.

Similarly, the quiz presents the option:

The certificate must be signed by the certificate authority file passed to the mongod.

… which is also incorrect. The certificate “client.pem” is not “signed by the CA file”. The CA file should (at least) contain the certificate of the CA who signed the client certificate. A file cannot sign anything, a CA can.