Certificate Authority Signing Certificates

Client-facing TLS Servers

NOTE: depending on the deployment pattern, this could be a private CA, or simply a copy of the root used by Let's Encrypt.
TLS Server CA

NOTE: this CA is only relevant for Mongo Client-to-Server and Server-to-Server comms that are not Internet-facing.
Mongo CA

SAML

SAML IdP Token Issuer
Endpoint Registration (TPM2 anchor)
Endpoint Registration (no anchor)
Device (TPM2 anchor)
Device (no anchor)
Relay PKI Network
Install (AKA "Initial") CA
OIDC Trusted Client (used by applications)
SAML IdP Trusted Client (used by applications)
SMM Trusted Client (used by applications)
Oracle CA