Incorporating internal review comments (#732)

mdb-ashley · Ashley Brown · web-flow · commit 96caf206f187 · 2022-02-28T17:40:32.000-05:00
Co-authored-by: Ashley Brown &lt;ashley.brown@m-hw46j45q6c.lan&gt;
diff --git a/source/includes/extracts-x509-certificate.yaml b/source/includes/extracts-x509-certificate.yaml
@@ -19,17 +19,22 @@ content: |
      Distinguished Name (``DN``), must **differ** from the subjects of
      :ref:`member x.509 certificates <x509-member-certificate>`.
 
-     At least one of the Organization (``O``), Organizational Unit
-     (``OU``), or Domain Component (``DC``) attributes in the client
-     certificate must differ from those in the
-     :setting:`net.tls.clusterFile` and
-     :setting:`net.tls.certificateKeyFile` server certificates. If a
-     client x.509 certificate's subject has the same ``O``, ``OU``, and
-     ``DC`` combination as the :ref:`x509-member-certificate` (or
-     :parameter:`tlsX509ClusterAuthDNOverride` if set), the client
-     connection is rejected. Only :ref:`cluster member x509 certificates
-     <x509-member-certificate>` should use same ``O``, ``OU``, and
-     ``DC`` combinations as this grants full permissions.
+     .. important::  
+    
+        If a client x.509 certificate's subject matches the ``O``, ``OU``, and 
+        ``DC`` attributes of the :ref:`x509-member-certificate` (or
+        :parameter:`tlsX509ClusterAuthDNOverride`, if set) exactly, the client 
+        connection is accepted, full permissions are granted, and a warning 
+        message appears in the log. 
+        
+        Only :ref:`cluster member x509 certificates <x509-member-certificate>` 
+        should use the same ``O``, ``OU``, and ``DC`` attribute combinations.
+
+
+     .. versionadded:: 4.2
+
+        If the MongoDB deployment has :parameter:`tlsX509ClusterAuthDNOverride` 
+        set, the client x.509 certificate's subject must not match that value.
 
      If the MongoDB deployment has
      :parameter:`tlsX509ClusterAuthDNOverride` set (*available starting
@@ -89,11 +94,10 @@ content: |
         CN=host2,OU=Dept1,O=MongoDB
 
    - Either the Common Name (``CN``) or one of the Subject Alternative
-     Name (``SAN``) entries must match the hostname of the server, used
-     by the other members of the cluster. Starting in MongoDB 4.2, when
-     performing comparison of SAN, MongoDB supports comparison of DNS
-     names or IP addresses. In previous versions, MongoDB only supports
-     comparisons of DNS names.
+     Name (``SAN``) entries must match the server hostname for other cluster
+     members. Starting in MongoDB 4.2, when comparing ``SAN``\s, MongoDB can 
+     compare either DNS names or IP addresses. In previous versions, MongoDB 
+     only compares DNS names.
 
      For example, the certificates for a cluster could have the
      following subjects:
