js draft

go-manual/modules/ROOT/pages/connect-advanced.adoc

@@ -64,6 +64,7 @@ driver, err := neo4j.NewDriverWithContext(dbUri, neo4j.NoAuth())
 ----
 
 
+[#mtls]
 [role=label--new-5.27]
 == Mutual TLS (client-side certificates as 2FA)
 

javascript-manual/modules/ROOT/pages/connect-advanced.adoc

@@ -65,6 +65,79 @@ const driver = neo4j.driver(
 If authentication is disabled on the server, the authentication parameter can be omitted entirely.
 
 
+[#mtls]
+[role=label--new-5.27]
+== Mutual TLS (client-side certificates as 2FA)
+
+Mutual TLS (mTLS) allows you to use a client certificate as second factor for authenticating with the server.
+The certificate can only be used together with an authentication token and is not a replacement of regular authentication, unless authentication is disabled on the server.
+
+[.tabbed-example]
+=====
+[.include-with-static-certificate]
+======
+Use link:https://pkg.go.dev/github.com/neo4j/neo4j-go-driver/v5/neo4j/auth#NewStaticClientCertificateProvider[`auth.NewStaticClientCertificateProvider()`] for static certificates. +
+The method takes a link:https://pkg.go.dev/github.com/neo4j/neo4j-go-driver/v5/neo4j/auth#ClientCertificate[`ClientCertificate`] instance.
+
+[source, go, test-skip]
+----
+const driver = neo4j.driver('neo4j+s://myhost:7687', MY_CREDENTIALS, {
+   clientCertificate: {
+      certfile: '/path/to/cert/file.cert',
+      keyfile: '/path/to/cert/file.pem',
+      password: 'the_key_password' // optional
+   }
+})
+
+// then use your driver as usual.
+----
+
+======
+[.include-with-rotating-certificate]
+======
+
+Use link:https://pkg.go.dev/github.com/neo4j/neo4j-go-driver/v5/neo4j/auth#NewRotatingClientCertificateProvider[`auth.NewRotatingClientCertificateProvider()`] for rotating certificates. +
+The method takes a link:https://pkg.go.dev/github.com/neo4j/neo4j-go-driver/v5/neo4j/auth#ClientCertificate[`ClientCertificate`] instance.
+
+[source, go, test-skip]
+----
+import neo4j from 'neo4j-driver'
+
+const initialClientCertificate: {
+  certfile: '/path/to/cert/file.cert',
+  keyfile: '/path/to/cert/file.pem',
+  password: 'the_key_password' // optional
+}
+
+const clientCertificateProvider = neo4j.clientCertificateProviders.rotating({
+    initialCertificate: initialClientCertificate
+})
+
+const driver = neo4j.driver('neo4j+s://myhost:7687', MY_CREDENTIALS, {
+   clientCertificate: clientCertificateProvider
+})
+
+
+// use the driver as usual
+
+// then you have new certificate which will replace the old one
+clientCertificateProvider.updateCertificate({
+  certfile: '/path/to/cert/new_file.cert',
+  keyfile: '/path/to/cert/new_file.pem',
+  password: 'the_new_key_password' // optional
+})
+
+// New connections will be created using the new certificate.
+// however, older connections will not be closed if they still working.
+----
+
+======
+=====
+
+
+For more information, see link:https://pkg.go.dev/github.com/neo4j/neo4j-go-driver/v5/neo4j/auth#ClientCertificateProvider[API docs -> `ClientCertificateProvider`].
+
+
 == Custom address resolver
 
 When creating a `Driver` object, you can specify a _resolver_ function to resolve the connection address the driver is initialized with.

python-manual/modules/ROOT/pages/connect-advanced.adoc

@@ -63,12 +63,17 @@ Use the function link:{neo4j-docs-base-uri}/api/python-driver/current/api.html#n
 If authentication is disabled on the server, the authentication parameter can be omitted entirely.
 
 
+[#mtls]
 [role=label--new-5.27]
 == Mutual TLS (client-side certificates as 2FA)
 
 Mutual TLS (mTLS) allows you to use a client certificate as second factor for authenticating with the server.
 The certificate can only be used together with an authentication token and is not a replacement of regular authentication, unless authentication is disabled on the server.
 
+[NOTE]
+must use a secure driver with client certificates (...+s[sc] scheme or encrypted=True)
+# ex. "neo4j+s://example.com:7687"
+
 [.tabbed-example]
 =====
 [.include-with-static-certificate]
@@ -124,10 +129,7 @@ from neo4j.auth_management import (
     ClientCertificateProviders,
 )
 
-# must use a secure driver with client certificates (...+s[sc] scheme or encrypted=True)
-# ex. "neo4j+s://example.com:7687"
 URI = "<URI for Neo4j database>"
-# auth still required, unless server has authentication disabled
 AUTH = ("<Username>", "<Password>")