[DOCS-4572] Clarify extendedKeyUsage needs of server/client SSL certificates Created: 21/Dec/14 Updated: 30/Oct/23 Due: 08/Jun/15 Resolved: 01/Nov/22 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual, Server |
| Affects Version/s: | None |
| Fix Version/s: | Server_Docs_20231030 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Kevin Pulo | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 5 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Days since reply: | 1 year, 14 weeks, 1 day ago | ||||||||
| Epic Link: | DOCSP-1769 | ||||||||
| Description |
|
In http://docs.mongodb.org/manual/tutorial/upgrade-cluster-to-ssl/ it is not clear that a certificate given to --sslPEMKeyFile must have either:
This information is available in
but neither of these locations are obvious to a user following the upgrade tutorial, since they both refer to x.509 auth (which a user might not realise is still partially relevant in this particular case) — plus they're not linked from the page in question (either directly or indirectly). If a serverAuth certificate is generated and given to --sslPEMKeyFile, without a corresponding clientAuth cert given to --sslClusterFile, then the upgrade procedure will not work (it fails when switching from allowSSL to preferSSL). The required certificate flags should be spelled out in (or before) step 1 of the above URL. Otherwise, users may generate certificates that work for part of the process, but then mysteriously fail to work later on. The viable approaches that should be listed are:
|
| Comments |
| Comment by Education Bot [ 01/Nov/22 ] |
|
Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you! |
| Comment by Alexander Komyagin [ 02/Jul/20 ] |
|
Any update here? It's been 5 years.... |