[DOCS-4103] x509 client and server certificates Created: 29/Sep/14  Updated: 16/Mar/15  Resolved: 16/Oct/14

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: None
Fix Version/s: v1.3.12

Type: Bug Priority: Major - P3
Reporter: Alexander Komyagin Assignee: Sam Kleinman (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

http://docs.mongodb.org/manual/tutorial/configure-x509-member-authentication/


Issue Links:
Related
is related to DOCS-4572 Clarify extendedKeyUsage needs of ser... Closed
Participants:
Days since reply: 9 years, 17 weeks, 6 days ago

 Description   

It is possible to use a single x509 certificate for both member authentication and x.509 client authentication. To do so, obtain a certificate with both clientAuth and serverAuth (i.e. “TLS Web Client Authentication” and “TLS Web Server Authentication”) specified as Extended Key Usage (EKU) values, or simply do not specify any EKU values. Provide this file as the the --sslPEMKeyFile and omit the --sslClusterFile option described below.

It is very confusing, as it might sound that we encourage to use the same x509 certificate for both client and server authentication.



 Comments   
Comment by Githook User [ 16/Oct/14 ]

Author:

{u'username': u'tychoish', u'name': u'Sam Kleinman', u'email': u'samk@10gen.com'}

Message: DOCS-4103: clarification to client/member auth x509
Branch: master
https://github.com/mongodb/docs/commit/8227ff3ba3640919ea7c37707253777a659df712

Comment by Kevin Pulo [ 30/Sep/14 ]

This version seems to suggest that we recommend setting both clientAuth and serverAuth. This would only be the case if someone wanted one certificate that can be used for both client and server authentication. We should be able to mention that this is possible, without suggesting that it is recommended or should always be done (since the general recommendation is to use only clientAuth for certificates that will be presented when connecting a server, and only serverAuth for certificates that will be presented to connecting clients). ie. it doesn't mention that this is for the --sslPEMKeyFile but no --sslClusterFile case.

Can I suggest the following (or similar):

It is possible to use a x509 certificate for member authentication that doesn't have Extended Key Usage (EKU) attributes set. However, if EKU attributes are used in the --sslPEMKeyFile certificate, then either (or both) the clientAuth and serverAuth (i.e. “TLS Web Client Authentication” and “TLS Web Server Authentication”) attributes should be specified, depending on how the certificate will be used. The certificate specified to --sslPEMKeyFile requires the serverAuth attribute, while the certificate specified to --sslClusterFile requires the clientAuth attribute. As described below, if --sslClusterFile is omitted, it defaults to the file given to --sslPEMKeyFile.

Comment by Alexander Komyagin [ 29/Sep/14 ]

I suggest to rephrase:

It is possible to use a x509 certificate for member authentication that doesn't have Extended Key Usage (EKU) attributes set. However, if EKU attributes are used in the --sslPEMKeyFile certificate, both clientAuth and serverAuth (i.e. “TLS Web Client Authentication” and “TLS Web Server Authentication”) should be specified.

Generated at Thu Feb 08 07:47:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.