Hello, we're working with a customer trying to close a mongodb enterprise sale. They are connecting to our key management server via KMIP.

Previously (v 3.2), the CN had to exactly match the KMIP hostname specified in the mongo configuration. Now, the error is as follows:

2018-09-17T17:36:50.040+0800 E STORAGE  [initandlisten] Unable to retrieve key .system, error: socket exception [CONNECT_ERROR] for The server certificate does not match the host name. Hostname: [<hostname>] does not match SAN(s): akm

Did the requirement change that the hostname must now be in the subject alternative name? If so when did it change? And can this information be documented in the KMIP docs?

If the requirement did not change and the CN already matches the hostname, what would cause it to reject the SAN?

I'm supposed to tag Kenn White on this issue, but see no way to do that.

Thank you,

Nick