SERVER-69855: Document tlsClusterAuthX509 options and overrides in arch guides

1 files changed, 6 insertions, 3 deletions

diff --git a/src/mongo/util/net/README.md b/src/mongo/util/net/README.md
index fbc7daebb9b..96ea7537241 100644
--- a/src/mongo/util/net/README.md
+++ b/src/mongo/util/net/README.md
@@ -259,6 +259,9 @@ authenticate to them. If `net.tls.clusterFile` is not specified, then
 [`net.tls.certificateKeyFile`](https://docs.mongodb.com/manual/reference/configuration-options/#net.tls.certificateKeyFile) 
 will be used.
 
-Member and client certificates are basically the same, content-wise. Nodes will only consider a peer certificate to be a
-member certificate if the _Organization (O)_, _Organizational Unit (OU)_, and _Domain Component (DC)_ that might be 
-contained in the certificate's _Subject Name_ match those contained in _its own_ subject name.
+By default, nodes will only consider a peer certificate to be a member certificate if the 
+_Organization (O)_, _Organizational Unit (OU)_, and _Domain Component (DC)_ that might be contained 
+in the certificate's _Subject Name_ match those contained in _its own_ subject name. This behavior 
+can be customized to check for different attributes via `net.tls.clusterAuthX509.attributes` or 
+`net.tls.clusterAuthX509.extensionValue`. See the [`auth`](../../db/auth/README.md) documentation 
+for more information about X.509 intracluster auth.