Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39571

mongod cannot verify certificates from the CNG provider

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.0.7, 4.1.9
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v4.0
    • Steps To Reproduce:
      Hide

      1. Call New-SelfSignedCertificate
      2. ./mongo.exe --ssl --sslCertificateSelector thumbprint=<thumbprint>

      Show
      1. Call New-SelfSignedCertificate 2. ./mongo.exe --ssl --sslCertificateSelector thumbprint=<thumbprint>
    • Sprint:
      Security 2019-03-11
    • Case:

      Description

      When MongoD loads a certificate from the Windows certificate store, it verifies there is a accessible private key to give users a clear error. This works correctly for CryptAPI created certificates but not CNG created certificates.

      Additionally, we should warn users that if we get NTE_BAD_KEYSET, they need to fix their permissions on the private key when we load a CNG certificate.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: