[SERVER-32979] Add certificate selector for Windows for SChannel Created: 29/Jan/18  Updated: 29/Oct/23  Resolved: 23/Mar/18

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 3.7.4

Type: Task Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-11607 Docs for SERVER-32979: Add certificat... Closed
Related
is related to TOOLS-2362 Add certificate selector command-line... Accepted
Backwards Compatibility: Fully Compatible
Sprint: Platforms 2018-03-26
Participants:

 Description   

The new option will be called a “Certificate Selector” for each option used to read a PEM file today. No new options will be used to read CA certs or CRL lists as these will be retrieved from the system certificate store by the native SSL library automatically. Both platforms will check OCSP for CRLs.

Existing Option New Option Config Name
sslPEMKeyFile sslCertificateSelector net.ssl.CertificateSelector
sslClusterFile sslClusterCertificateSelector net.ssl.ClusterCertificateSelector
kmipClientCertificateFile kmipClientCertificateSelector security.kmip.ClientCertificateSelector

It is a startup error to specify a certificate selector and file for the same parameter.

The format of the certificate selector is:

<certificate property>=<value>

The following certificate properties are supported:

Property Value Description
subject An ASCII string Matches Subject Name
thumbprint Hex string Matches Thumbprint

The property names are case-sensitive. For subject name, the match is exact, case-sensitive string match. Only one property may be specified in a search. In the case of two or more certificates matching the same search criteria, the certificate returned is undefined, and depends on the OS behavior.



 Comments   
Comment by Githook User [ 27/Mar/18 ]

Author:

{'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}

Message: SERVER-32979 Certificate selector - remove serial and tweaks
Branch: master
https://github.com/mongodb/mongo/commit/12aace9598e76716fd76217d32145762dcef3f9a

Comment by Githook User [ 23/Mar/18 ]

Author:

{'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}

Message: SERVER-32979 Fix Lint
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/2b753eca8006f2308afd7a53181cb2af785dc0b9

Comment by Githook User [ 23/Mar/18 ]

Author:

{'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}

Message: SERVER-32979 Add KMIP Certificate Selectors
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/c20ebdf5f67336f11bee77b0c7bb4b89bdea1d64

Comment by Githook User [ 23/Mar/18 ]

Author:

{'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}

Message: SERVER-32979 Fix Lint
Branch: master
https://github.com/mongodb/mongo/commit/ace5e34b97a79eb86fc09bd9c2c2d62d8414159b

Comment by Githook User [ 23/Mar/18 ]

Author:

{'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}

Message: SERVER-32979 Windows Certificate Selectors
Branch: master
https://github.com/mongodb/mongo/commit/bdb56ab0c0e7585f316437cfa092bdea3db567d0

Comment by Githook User [ 23/Mar/18 ]

Author:

{'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}

Message: SERVER-32979 Add KMIP Certificate Selectors
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/e2b9d5a4cfa084357e3b0b643168ec68d90fea4f

Generated at Thu Feb 08 04:31:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.