Uploaded image for project: 'C# Driver'
  1. C# Driver
  2. CSHARP-3560

x509 Auth with intermediate CA



    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Done
    • 2.9.3, 2.11.6
    • None
    • None
    • None
    • RHEL 7, dotnet core 3.1, python 2.7


      We have a replica set of 3 nodes. Each nodes authenticates using x509 certificates. Some clients also authenticates using x509 certificates. Everything works if certification path is like this:
      root_ca -> certificate

      but if certification path is
      root_ca -> intermediate_ca -> certificate

      the C# driver cannot connect using x509 auth. Python, mongo command can connect using same certificate just fine. Upon further investigation i assume C# client only sends single certificate for validation. 

      relevant code part used for testing:

                          var certificateCollection = new X509Certificate2Collection();
                          var certificateList = certificateCollection.Cast<X509Certificate2>().ToList().OrderByDescending(c => c.HasPrivateKey);
                          settings.SslSettings = new SslSettings {
                              ClientCertificates = certificateList,
                              CheckCertificateRevocation = false,

      certificatePath: location of pfx file containing intermediate CA cert and client cert with key

      List contains two X509Certificate2 objects. if first certificate in list is intermediate CA, error on mongodb server is:
      Failed to authenticate CN=xsuser@$external with mechanism MONGODB-X509: AuthenticationFailed: There is no x.509 client certificate matching the user.

      But if first certificate in list is client certificate (second intermediate certificate), mongodb says: 
      SSL peer certificate validation failed: unable to verify the first certificate

      since mongo command and python client with same certificate chain can connect just fine i assume C# driver has something to do with it. Or maybe i'm  missing something about client configuration regarding x509 auth with intermediate CA? There is no documentation specific about intermediate CA.


        Issue Links



              Unassigned Unassigned
              tomaxsas@gmail.com Tomas Žaleniakas
              0 Vote for this issue
              3 Start watching this issue