DOCSP-36188 KMIP on Windows admonition (#7373)

jmd-mongo · web-flow · commit 1e326b2cd660 · 2024-04-11T16:06:21.000-04:00
* DOCSP-36188 KMIP on Windows admonition * internal review * external review
diff --git a/source/includes/enable-KMIP-on-windows.rst b/source/includes/enable-KMIP-on-windows.rst
@@ -0,0 +1,10 @@
+.. important:: 
+
+   Enabling encryption using a KMIP server on Windows fails when using 
+   |kmip-client-cert-file| and the KMIP server enforces TLS 1.2.
+
+   To enable encryption at rest with KMIP on Windows, you must:
+
+   - Import the client certificate into the Windows Certificate Store.
+   - Use the |kmip-client-cert-selector| option.
+
diff --git a/source/reference/configuration-options.txt b/source/reference/configuration-options.txt
@@ -2893,11 +2893,10 @@ Key Management Configuration Options
    To use this setting, you must also specify the
    :setting:`security.kmip.serverName` setting.
    
-   .. note::
-      
-      Starting in 4.0, on macOS or Windows, you can use a certificate
-      from the operating system's secure store instead of a PEM key
-      file. See :setting:`security.kmip.clientCertificateSelector`.
+   .. |kmip-client-cert-file| replace:: ``security.kmip.clientCertificateFile``
+   .. |kmip-client-cert-selector| replace:: :setting:`security.kmip.clientCertificateSelector`
+
+   .. include:: /includes/enable-KMIP-on-windows.rst
    
    .. include:: /includes/fact-enterprise-only-admonition.rst
 
diff --git a/source/reference/program/mongod.txt b/source/reference/program/mongod.txt
@@ -3048,6 +3048,11 @@ Encryption Key Management Options
    
    To use this option, you must also specify the
    :option:`--kmipServerName` option.
+
+   .. |kmip-client-cert-file| replace:: ``--kmipClientCertificateFile``
+   .. |kmip-client-cert-selector| replace:: :option:`--kmipClientCertificateSelector`
+
+   .. include:: /includes/enable-KMIP-on-windows.rst
    
    .. note::
       
diff --git a/source/tutorial/configure-encryption.txt b/source/tutorial/configure-encryption.txt
@@ -95,6 +95,11 @@ following options to start ``mongod``:
 
 .. include:: /includes/extracts/default-bind-ip-security-additional-command-line.rst
 
+.. |kmip-client-cert-file| replace:: :option:`--kmipClientCertificateFile`
+.. |kmip-client-cert-selector| replace:: :option:`--kmipClientCertificateSelector`
+
+.. include:: /includes/enable-KMIP-on-windows.rst
+
 The following operation creates a new master key in your key manager.
 ``mongod`` uses the master key to encrypt the keys that ``mongod``
 generates for each database.
