[SERVER-62326] Implement certificateSelector for OpenSSL Created: 31/Dec/21  Updated: 02/May/23

Status: Backlog
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 2
Labels: former-quick-wins
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
Assigned Teams:
Server Security
Participants:
Case:

 Description   

On Windows and Mac OS, the server's TLS subsytem supports an option named net.tls.certificateSelector. This option is an alternative to net.tls.certificateKeyFile, and allows an administrator to specify an identifier for a X.509 certificate and private key contained in the system trust store which the server will attempt to use. The administrator doesn't need to provision a PEM file containing these artefacts. This is convenient if the system is centrally managed, and has relevant CAs and identities pre-provisioned in the system trust store.

To maintain platform equivalence, we should introduce support for the following options to the OpenSSL implementation of the server's TLS stack:

  • net.tls.certificateSelector
  • net.tls.clusterCertificateSelector

Generated at Thu Feb 08 05:54:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.