I’m watching the video linked below.
Around 01:35 @kirbyk remarks that “we use --caFile so we can know the client is who they say they are.”
That is absolutely not what that param does.
By specifying the CA’s certificate we tell the MongoD which Certificate Authority it can trust. So MongoD will accept all certificates published by said CA as gospel.
So the end effect is what Kirby says: as long as the client’s cert was signed by the CA, and the CA’s cert is trusted, the MongoD will accept the client’s cert as proof of its identity. But the current statement is a over-simplification.