[DOCS-6673] x509 Subject-Username Mismatch Created: 30/Nov/15  Updated: 24/Feb/16  Resolved: 12/Jan/16

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Bernard Gorman Assignee: Ravind Kumar (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 8 years, 5 weeks, 2 days ago

 Description   

In our documentation on configuring x509 client authentication, we instruct the admin to set up a MongoDB user whose name is the x509 certificate's Subject line, per RFC2253:

openssl x509 -in <pathToClient PEM> -inform PEM -subject -nameopt RFC2253

However, certain development frameworks (notably .NET) may not permit client apps to retrieve the subject from the certificate in the necessary format, as described in this StackOverflow post:

Trying to connect I encountered authentication issues. The error that appeared in the log was “There is no x.509 client certificate matching the user”. The reason was the extracted subjects were not identical. That is, the subject I extracted using openssl and then used as a name for the DB user, and the subject I extracted using the C# code and then used as a client credential.

Openssl: "CN=yakan.domain.com,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
C#: "CN=yakan.domain.com, O=Internet Widgits Pty Ltd, S=Some-State, C=AU"

The latter had spaces after the commas (“CN=SOMENAME, O=SOMEVALUE”), while the first did not (“CN=SOMENAME,O=SOMEVALUE”). The latter used “S=”, while the first used “ST=”. I came to the conclusion that the C# X509Certificate2.Subject method simply does not format the value according to RFC2253.

There does not appear to be any resolution except for client applications to perform their own string manipulation on the Subject field before authenticating. A note to this effect in the x509 documentation would be helpful.



 Comments   
Comment by Githook User [ 11/Jan/16 ]

Author:

{u'username': u'rkumar-mongo', u'name': u'ravind', u'email': u'ravind.kumar@10gen.com'}

Message: DOCS-6673 : Specify importance of subject string format for authentication

Code Review: Kim Edits + Allison Edits

Signed-off-by: kay <kay.kim@10gen.com>
Branch: master
https://github.com/mongodb/docs/commit/911cb3319bba8408b8d05d9f64c16be9efeb60e6

Generated at Thu Feb 08 07:52:46 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.