|
In our documentation on configuring x509 client authentication, we instruct the admin to set up a MongoDB user whose name is the x509 certificate's Subject line, per RFC2253:
openssl x509 -in <pathToClient PEM> -inform PEM -subject -nameopt RFC2253
|
However, certain development frameworks (notably .NET) may not permit client apps to retrieve the subject from the certificate in the necessary format, as described in this StackOverflow post:
Trying to connect I encountered authentication issues. The error that appeared in the log was “There is no x.509 client certificate matching the user”. The reason was the extracted subjects were not identical. That is, the subject I extracted using openssl and then used as a name for the DB user, and the subject I extracted using the C# code and then used as a client credential.
Openssl: "CN=yakan.domain.com,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
|
C#: "CN=yakan.domain.com, O=Internet Widgits Pty Ltd, S=Some-State, C=AU"
|
The latter had spaces after the commas (“CN=SOMENAME, O=SOMEVALUE”), while the first did not (“CN=SOMENAME,O=SOMEVALUE”). The latter used “S=”, while the first used “ST=”. I came to the conclusion that the C# X509Certificate2.Subject method simply does not format the value according to RFC2253.
There does not appear to be any resolution except for client applications to perform their own string manipulation on the Subject field before authenticating. A note to this effect in the x509 documentation would be helpful.
|