[SERVER-45187] Update OCSP test certificates to X.509 v3 Created: 17/Dec/19  Updated: 29/Oct/23  Resolved: 26/Dec/19

Status: Closed
Project: Core Server
Component/s: Testing Infrastructure
Affects Version/s: None
Fix Version/s: 4.3.3

Type: Improvement Priority: Major - P3
Reporter: Vincent Kam (Inactive) Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2019-12-16-22-39-21-701.png     PNG File image-2019-12-16-22-40-01-257.png    
Backwards Compatibility: Fully Compatible
Sprint: Security 2019-12-30
Participants:

 Description   

While POCing OCSP using the .NET and Java drivers and server team's mock ocsp responder and certs in jstests/libs/ocsp that shreyaskal kindly pointed me at, I discovered I was unable to import the ca_ocsp certificate into a Java trust store.

keytool -import -trustcacerts -keystore cacerts -alias ca_ocsp -file ca_ocsp.pem
keytool error: java.lang.Exception: Input not an X.509 certificate

Further trial and error revealed that Java's keytool utility was willing to add a X.509 v3 certificate, but not the ca_ocsp.pem certificate because it appears to be an X.509 v1 certificate (see screenshot).

Updating mkcert.py to output v3 certificates seems to have solved this issue for me, and I've created a PR as the drivers team is planning on using the mock ocsp responder and the associated certificates for testing OCSP.



 Comments   
Comment by Githook User [ 26/Dec/19 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-45187 Remint OCSP test certificates using X509v3 format
Branch: master
https://github.com/mongodb/mongo/commit/1b4b1da6f590addfddab860c18292e0f4e5e2939

Generated at Thu Feb 08 05:08:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.