Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow multiple certificates in CACertificateFile #499

Closed
bgrainger opened this issue May 18, 2018 · 0 comments
Closed

Allow multiple certificates in CACertificateFile #499

bgrainger opened this issue May 18, 2018 · 0 comments
Assignees

Comments

@bgrainger
Copy link
Member

bgrainger commented May 18, 2018

The Amazon Aurora documentation references a "bundled" certificate file: rds-combined-ca-bundle.pem.

This file is simply concatenated certificates:

-----BEGIN CERTIFICATE-----
MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx
[ snip ]
/40NawZfTUU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCAumgAwIBAgIBRDANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx
[ snip ]
VPrXn2899T1rcTtFYFP16WXjGuc0
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCAumgAwIBAgIBRTANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx
...

It comprises a (self-signed) root certificate and multiple intermediate certificates. We need both the root and the intermediate certificates to verify the certificate chain for an Aurora SSL connection (see #498).

Since Amazon already makes this bundled certificate available, and creating a bundled certificate isn't hard, it makes most sense to allow the existing CACertificateFile connection string option to point to a bundled certificate file (as opposed to interpreting it as a delimited list of file names). Currently new X509Certificate2(string) only loads the first certificate in the file, so we would need to manually split the file into multiple byte[] and create multiple X509Certificate2 objects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant