Recently I'm using mongodb on IBM cloud, and the connection command provided by IBM cloud is as below:
mongo -u <username> -p <password> --ssl --sslCAFile <path-to-PEM-file> --authenticationDatabase admin --host <hostnames>
I understand that this is a virtual private network, and requires a local private CA to issue certs and authenticate/encrypt all the incoming traffic.
However, why I only need to provide the root CA file instead of client cert?
I thought root CA file is already stored in mongo cluster and the only thing I need to provide is client cert so that they can authenticate my identity.
Appreciate any answers ;)
Client certificate is only needed if the server validates client certificates.
Each direction of validation can be independently turned on and off.
Certificates are not used for authentication since you are providing username and password.
Certificates are also not used for encryption, TLS does that.