[SERVER-39571] mongod cannot verify certificates from the CNG provider Created: 13/Feb/19  Updated: 29/Oct/23  Resolved: 28/Feb/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.0.7, 4.1.9

Type: Bug Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.0
Steps To Reproduce:

1. Call New-SelfSignedCertificate
2. ./mongo.exe --ssl --sslCertificateSelector thumbprint=<thumbprint>

Sprint: Security 2019-03-11
Participants:
Case:

 Description   

When MongoD loads a certificate from the Windows certificate store, it verifies there is a accessible private key to give users a clear error. This works correctly for CryptAPI created certificates but not CNG created certificates.

Additionally, we should warn users that if we get NTE_BAD_KEYSET, they need to fix their permissions on the private key when we load a CNG certificate.



 Comments   
Comment by Githook User [ 01/Mar/19 ]

Author:

{'name': 'Mark Benvenuto', 'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com'}

Message: SERVER-39571 mongod cannot verify certificates from the CNG provider

(cherry picked from commit 34cf12d1ea67a7f11266452e44f5c2241f453f23)
Branch: v4.0
https://github.com/mongodb/mongo/commit/cc2361a62962a3abd17ac20136d25ee2df279b70

Comment by Githook User [ 28/Feb/19 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-39571 mongod cannot verify certificates from the CNG provider
Branch: master
https://github.com/mongodb/mongo/commit/34cf12d1ea67a7f11266452e44f5c2241f453f23

Generated at Thu Feb 08 04:52:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.