[v13] update self-hosted database guides (#37941)

* backport #36260 to branch/v13

* retain the CA note from v13 for backport

docs/pages/database-access/guides/cockroachdb-self-hosted.mdx

@@ -23,6 +23,14 @@ description: How to configure Teleport database access with self-hosted Cockroac
 - A host, e.g., an Amazon EC2 instance, where you will run the Teleport Database
   Service.
 - (!docs/pages/includes/tctl.mdx!)
+- A certificate authority to issue CockroachDB certificates for nodes in your 
+  CockroachDB cluster.
+  Teleport uses a split CA architecture for database access, and requires that
+  you create your own CA for node-to-node mTLS communication.
+  See [cockroach cert](https://www.cockroachlabs.com/docs/stable/cockroach-cert)
+  for instructions on creating a CA and issuing a client certificate and key
+  for each node. The certificate and key should be named `client.node.crt` and 
+  `client.node.key`.
 
 ## Step 1/4. Set up the Teleport Database Service
 
@@ -91,9 +99,13 @@ $ tctl auth sign \
     --ttl=2190h
 ```
 
-The command will produce 3 files: `ca.crt` with Teleport's certificate authority
-and `node.crt` / `node.key` with the node's certificate and key. Do not rename
-them as this is how CockroachDB expects them to be named. See [Node key and certificates](https://www.cockroachlabs.com/docs/v21.1/create-security-certificates-custom-ca#node-key-and-certificates)
+The command will produce 4 files:
+- `ca.crt` with Teleport's `db` certificate authority
+- `ca-client.crt` with Teleport's `db_client` certificate authority
+- `node.crt` / `node.key` with the node's certificate and key.
+
+Do not rename these files as this is how CockroachDB expects them to be named.
+See [Node key and certificates](https://www.cockroachlabs.com/docs/v21.1/create-security-certificates-custom-ca#node-key-and-certificates)
 for details.
 
 Generate the secrets for each cluster node and make sure to use the hostname
@@ -183,4 +195,5 @@ Connect app.
 
 (!docs/pages/includes/database-access/guides-next-steps.mdx!)
 - [CockroachDB client authentication](https://www.cockroachlabs.com/docs/stable/authentication.html#client-authentication)
+- [CockroachDB using split CA certificates](https://www.cockroachlabs.com/docs/stable/authentication#using-split-ca-certificates)
 

docs/pages/database-access/guides/mongodb-self-hosted.mdx

@@ -30,6 +30,19 @@ videoBanner: 6lgVObxoLkc
 </Admonition>
 
 - (!docs/pages/includes/tctl.mdx!)
+- A certificate authority for MongoDB Replica Set, and the public certificate
+  for that CA, in PEM format, e.g. `/path/to/your/ca.crt`.
+
+  <Admonition type="note">
+  A MongoDB replica set requires that each MongoDB server is configured with a 
+  certificate that has extendedKeyUsage `clientAuth, serverAuth`.
+
+  Teleport uses a split CA architecture for better security:
+  the Teleport Database Server CA issues certs with `serverAuth`
+  and the Teleport Database Client CA issues certs with `clientAuth`.
+  Therefore, you must provide each MongoDB server with a certificate issued by
+  your own CA with extendedKeyUsage `clientAuth, serverAuth`.
+  </Admonition>
 
 ## Step 1/3. Install and configure Teleport
 
@@ -133,24 +146,34 @@ Create the secrets:
   authority and `mongo.crt` with the generated certificate and key pair. You will
   need these files to enable mutual TLS on your MongoDB server.
   </TabItem>
-  <TabItem label="Replica set">
-  When connecting to a MongoDB replica set, sign certificates for each member
-  using the hostnames they're accessible at.
-
-  For example, if the first member is accessible at `mongo1.example.com` and
-  the second at `mongo2.example.com`, run:
-
+  <TabItem label="Replica Set">
+  Export the Teleport Database Client CA from Teleport, and then add it as an 
+  additional trusted CA by concatenating it with your CA's certificate:
+
   ```code
-  $ tctl auth sign --format=mongodb --host=mongo1.example.com --out=mongo1 --ttl=2190h
-  $ tctl auth sign --format=mongodb --host=mongo2.example.com --out=mongo2 --ttl=2190h
+  $ tctl auth export --type=db_client > db-client-ca.crt
+  $ cat /path/to/your/ca.crt db-client-ca.crt > /etc/certs/mongo.cas
   ```
 
-  (!docs/pages/includes/database-access/ttl-note.mdx!)
-
-  Each command will create two files: `mongo1.cas`/`mongo2.cas` with Teleport's
-  certificate authority and `mongo1.crt`/`mongo2.crt` with the generated certificate
-  and key pair. You will need these files to enable mutual TLS on your MongoDB
-  servers.
+  When MongoDB is configured to trust these CAs, it will trust the Teleport 
+  Database Client CA and allow access via Teleport, while still allowing MongoDB 
+  replication over TLS using your CA's certs for peer verification.
+
+  Next, modify your Teleport Database Service to trust your MongoDB Replica 
+  Set CA:
+  ```yaml
+    databases:
+    - name: "example-mongo"
+      protocol: "mongodb"
+      uri: "mongo.example.com:27017"
+      static_labels:
+        "env": "dev"
+      tls:
+        ca_cert_file: "/path/to/your/ca.crt"
+  ```
+  
+  Now the Teleport Database Service will trust certificates presented by your
+  MongoDB Replica Set.
   </TabItem>
 </Tabs>
 

docs/pages/database-access/guides/redis-cluster.mdx

@@ -82,16 +82,29 @@ $ tctl auth sign --format=redis --host=redis2.example.com,10.0.0.2 --out=redis2
 (!docs/pages/includes/database-access/ttl-note.mdx!)
 
 The command will create three files:
-- `server.cas` with Teleport's certificate authority
-- `server.key` with a generated private key
-- `server.crt` with a generated user certificate
+- `out.cas` with Teleport's database client certificate authority
+- `out.key` with a generated private key
+- `out.crt` with a generated certificate issued by Teleport's database server 
+certificate authority
 
 You will need these files to enable mutual TLS on your Redis server.
 
 (!docs/pages/includes/database-access/rotation-note.mdx!)
 
-Use the generated secrets to enable mutual TLS in your `redis.conf` configuration
-file and restart the database:
+<Tabs>
+<TabItem label="tls-cluster yes">
+If you wish to enable intra-cluster TLS communication in Redis, you will need 
+to generate and manage a CA to issue certificates for Redis Cluster nodes,
+and configure your Teleport Database Service to trust that CA.
+
+Concatenate your CA's cert (in PEM format) with Teleport's database client 
+certificate authority:
+```sh
+cat /path/to/your/ca.crt out.cas > pem-bundle.cas
+```
+
+Using your CA, issue `server.crt` for your Redis Cluster node and enable mutual 
+TLS in your `redis.conf` configuration file, then restart the database:
 
 ```ini
 tls-port 7001
@@ -104,10 +117,47 @@ masterauth GENERATED_STRONG_PASSWORD
 masteruser replica-user
 tls-cert-file /usr/local/etc/redis/certs/server.crt
 tls-key-file /usr/local/etc/redis/certs/server.key
+tls-ca-cert-file /usr/local/etc/redis/certs/pem-bundle.cas
+tls-protocols "TLSv1.2 TLSv1.3"
+```
+
+Modify your Teleport Database Service to trust your Redis Cluster CA:
+```yaml
+  databases:
+  - name: "example-redis"
+    protocol: "redis"
+    uri: "rediss://redis.example.com:6379?mode=cluster"
+    static_labels:
+      "env": "dev"
+    tls:
+      ca_cert_file: "/path/to/your/ca.crt"
+```
+</TabItem>
+<TabItem label="tls-cluster no">
+Use the generated secrets to enable mutual TLS in your `redis.conf` configuration
+file and restart the database:
+
+```ini
+tls-port 7001
+port 0
+cluster-enabled yes
+tls-replication no
+tls-cluster no
+aclfile /path/to/users.acl
+masterauth GENERATED_STRONG_PASSWORD
+masteruser replica-user
+tls-cert-file /usr/local/etc/redis/certs/server.crt
+tls-key-file /usr/local/etc/redis/certs/server.key
 tls-ca-cert-file /usr/local/etc/redis/certs/server.cas
 tls-protocols "TLSv1.2 TLSv1.3"
 ```
 
+With this configuration, communication between user clients and the Redis 
+Cluster will still use TLS, but Redis nodes will not use TLS to communicate with
+each other.
+</TabItem>
+</Tabs>
+
 Once mutual TLS has been enabled, you will no longer be able to connect to
 the cluster without providing a valid client certificate. You can use the
 `tls-auth-clients optional` setting to allow connections

docs/pages/database-access/guides/sql-server-ad-pkinit.mdx

@@ -67,13 +67,13 @@ You will need to repeat these steps if you rotate Teleport's database certificat
 1. Get the Teleport database CA certificate by running:
 
    ```code
-   $ tctl auth export --type=db-der > db-ca.cer
+   $ tctl auth export --type=db-client-der > db-ca.cer
    ```
 
 1. Get the Teleport database CRL by running:
 
    ```code
-   $ tctl auth crl --type=db > db-ca.crl
+   $ tctl auth crl --type=db_client > db-ca.crl
    ```
 
 1. Transfer the `db-ca.cer` and `db-ca.crl` files to a Windows machine where you can manage your group policy.