-
Type:
Task
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
Fully Compatible
The new option will be called a “Certificate Selector” for each option used to read a PEM file today. No new options will be used to read CA certs or CRL lists as these will be retrieved from the system certificate store by the native SSL library automatically. Both platforms will check OCSP for CRLs.
| Existing Option | New Option | Config Name |
|---|---|---|
| sslPEMKeyFile | sslCertificateSelector | net.ssl.CertificateSelector |
| sslClusterFile | sslClusterCertificateSelector | net.ssl.ClusterCertificateSelector |
| kmipClientCertificateFile | kmipClientCertificateSelector | security.kmip.ClientCertificateSelector |
It is a startup error to specify a certificate selector and file for the same parameter.
The format of the certificate selector is:
<certificate property>=<value>
The following certificate properties are supported:
| Property | Value | Description |
|---|---|---|
| subject | An ASCII string | Matches Subject Name |
| thumbprint | Hex string | Matches Thumbprint |
The property names are case-sensitive. For subject name, the match is exact, case-sensitive string match. Only one property may be specified in a search. In the case of two or more certificates matching the same search criteria, the certificate returned is undefined, and depends on the OS behavior.
- is related to
-
TOOLS-2362 Add certificate selector command-line/config options
-
- Accepted
-