[DOCS-4572] Clarify extendedKeyUsage needs of server/client SSL certificates Created: 21/Dec/14  Updated: 30/Oct/23  Due: 08/Jun/15  Resolved: 01/Nov/22

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Bug Priority: Major - P3
Reporter: Kevin Pulo Assignee: Unassigned
Resolution: Won't Fix Votes: 5
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DOCS-4103 x509 client and server certificates Closed
Participants:
Days since reply: 1 year, 14 weeks, 1 day ago
Epic Link: DOCSP-1769

 Description   

In http://docs.mongodb.org/manual/tutorial/upgrade-cluster-to-ssl/ it is not clear that a certificate given to --sslPEMKeyFile must have either:

  • both serverAuth and clientAuth extendedKeyUsage flags, or
  • neither of them (which defaults to a certificate that is usable for any purpose).

This information is available in

but neither of these locations are obvious to a user following the upgrade tutorial, since they both refer to x.509 auth (which a user might not realise is still partially relevant in this particular case) — plus they're not linked from the page in question (either directly or indirectly).

If a serverAuth certificate is generated and given to --sslPEMKeyFile, without a corresponding clientAuth cert given to --sslClusterFile, then the upgrade procedure will not work (it fails when switching from allowSSL to preferSSL).

The required certificate flags should be spelled out in (or before) step 1 of the above URL. Otherwise, users may generate certificates that work for part of the process, but then mysteriously fail to work later on.

The viable approaches that should be listed are:

  • Single cert with no extendedKeyUsage flags, passed to --sslPEMKeyFile
  • Single cert with serverAuth and clientAuth extendedKeyUsage flags, passed to --sslPEMKeyFile
  • One cert with serverAuth passed to --sslPEMKeyFile, and another cert with clientAuth passed to --sslClusterFile.


 Comments   
Comment by Education Bot [ 01/Nov/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Comment by Alexander Komyagin [ 02/Jul/20 ]

Any update here? It's been 5 years....

Generated at Thu Feb 08 07:48:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.