Database Dynamic Secret x509 Client-side Auth mode

Vault’s database secret engine supports x509 Client-side auth mode (MongoDB - Database - Secrets Engines | Vault by HashiCorp)

I could use some more information on this.
If the secret engine is configured in x509 auth mode that means MongoDB(in this case) will start with SSL enabled. And vault would generate username/password for communication from thereon. But, this means that all the connections to MongoDB will involve adding “sslAllowInvalidCertificates” flag or “InsecureSkipVerify” from the code to use the credentials generated by the vault. Doesn’t this defeat the purpose of enabling SSL? Shouldn’t vault generate certificates instead of username/password?

I am new to Vault and MongoDB!

1 Like

Totally agree did you find any answer ?