diff --git a/docs/server/security/authentication/assets/cert-enhanced-key-usage.png b/docs/server/security/authentication/assets/cert-enhanced-key-usage.png index 3bfafcbdfe..3f782c73d4 100644 Binary files a/docs/server/security/authentication/assets/cert-enhanced-key-usage.png and b/docs/server/security/authentication/assets/cert-enhanced-key-usage.png differ diff --git a/docs/server/security/authentication/assets/cert-key-usage.png b/docs/server/security/authentication/assets/cert-key-usage.png index 8be2daefb3..143aefb209 100644 Binary files a/docs/server/security/authentication/assets/cert-key-usage.png and b/docs/server/security/authentication/assets/cert-key-usage.png differ diff --git a/docs/server/security/authentication/assets/export_cluster_certificates.png b/docs/server/security/authentication/assets/export_cluster_certificates.png deleted file mode 100644 index c30b07a6fa..0000000000 Binary files a/docs/server/security/authentication/assets/export_cluster_certificates.png and /dev/null differ diff --git a/docs/server/security/authentication/assets/renew_server_certificate.png b/docs/server/security/authentication/assets/renew_server_certificate.png deleted file mode 100644 index e26270f2a3..0000000000 Binary files a/docs/server/security/authentication/assets/renew_server_certificate.png and /dev/null differ diff --git a/docs/server/security/authentication/assets/upload-client-certificate.png b/docs/server/security/authentication/assets/upload-client-certificate.png deleted file mode 100644 index da88edd677..0000000000 Binary files a/docs/server/security/authentication/assets/upload-client-certificate.png and /dev/null differ diff --git a/docs/server/security/authentication/certificate-configuration.mdx b/docs/server/security/authentication/certificate-configuration.mdx index 84683fd644..2c5ccccfab 100644 --- a/docs/server/security/authentication/certificate-configuration.mdx +++ b/docs/server/security/authentication/certificate-configuration.mdx @@ -59,16 +59,15 @@ RavenDB will accept `.pfx` server certificates that contain the private key, are and include a basic (`Key Usage`) field and an enhanced (`Enhanced Key Usage`) field. - `Key Usage` - Permissions granted by this field: **Digital Signature**, **Key Encipherment** + Permissions granted by this field: **Digital Signature** ![Key Usage](./assets/cert-key-usage.png) - `Enhanced Key Usage` - Permissions granted by this field: **Server Authentication**, **Client Authentication** + Permissions granted by this field: **Server Authentication** - An `Enhanced Key Usage` field must include these two OIDs: + An `Enhanced Key Usage` field must include this OID: **1.3.6.1.5.5.7.3.1** - Server Authentication - **1.3.6.1.5.5.7.3.2** - Client Authentication ![Enhanced Key Usage](./assets/cert-enhanced-key-usage.png) diff --git a/docs/server/security/authorization/security-clearance-and-permissions.mdx b/docs/server/security/authorization/security-clearance-and-permissions.mdx index 5cd15c8360..bc21982f24 100644 --- a/docs/server/security/authorization/security-clearance-and-permissions.mdx +++ b/docs/server/security/authorization/security-clearance-and-permissions.mdx @@ -36,10 +36,6 @@ import LanguageContent from "@site/src/components/LanguageContent"; `Cluster Admin` is the highest security clearance. There are no restrictions. A `Cluster Admin` certificate has admin permissions to all databases. It also has the ability to modify the cluster itself. - -The server certificate security clearance is called `Cluster Node`. The server certificate can also be used as a client certificate, and in that case `Cluster Node` is equivalent to `Cluster Admin` in terms of permissions. - - The following operations are allowed **only** for `Cluster Admin` certificates: - All cluster operations diff --git a/docs/server/security/common-errors-and-faq.mdx b/docs/server/security/common-errors-and-faq.mdx index 5a3aa53e3e..0ffef0069f 100644 --- a/docs/server/security/common-errors-and-faq.mdx +++ b/docs/server/security/common-errors-and-faq.mdx @@ -267,7 +267,7 @@ This server requires client certificate for authentication, but none was provide See [trusting an existing certificate](../../server/administration/cli.mdx#trustclientcert). #### If your browser runs under Windows 7 or Windows Server 2008 or older: -The first thing to try would be installing the **SERVER** certificate to the OS +The first thing to try would be installing the **ADMIN** certificate to the OS where your server is running, closing **all instances** of the browser and restarting it. If the issue persists, please also visit the diff --git a/docs/start/installation/setup-examples/kubernetes/azure-aks.mdx b/docs/start/installation/setup-examples/kubernetes/azure-aks.mdx index b8bc6a480b..6167ee1d0e 100644 --- a/docs/start/installation/setup-examples/kubernetes/azure-aks.mdx +++ b/docs/start/installation/setup-examples/kubernetes/azure-aks.mdx @@ -49,8 +49,8 @@ There are many tools available online that automate the process of getting the c RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use a self-signed certificate, you must register the CA certificate in the OS. A Docker image can be created based on the RavenDB image: diff --git a/docs/start/installation/setup-wizard.mdx b/docs/start/installation/setup-wizard.mdx index 3b0787ba5c..bc20b7d3a7 100644 --- a/docs/start/installation/setup-wizard.mdx +++ b/docs/start/installation/setup-wizard.mdx @@ -403,8 +403,8 @@ stores on all the relevant machines. RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use the setup wizard to construct a cluster, you must use the same certificate for all nodes. If you wish to use a different certificate for each node, it's possible only through [manual setup](../../start/installation/manual.mdx). A wildcard @@ -512,8 +512,8 @@ If you are setting up a cluster, you will use this Zip file to set up each of yo RavenDB will accept `.pfx` server certificates which contain the private key, are not expired, and have the following fields: -**KeyUsage**: DigitalSignature, KeyEncipherment -**ExtendedKeyUsage**: Client Authentication, Server Authentication +**KeyUsage**: DigitalSignature +**ExtendedKeyUsage**: Server Authentication 1. Place the `.pfx` file in a permanent location in each server/node folder. diff --git a/versioned_docs/version-5.4/server/security/authentication/assets/cert-enhanced-key-usage.png b/versioned_docs/version-5.4/server/security/authentication/assets/cert-enhanced-key-usage.png index 3bfafcbdfe..3f782c73d4 100644 Binary files a/versioned_docs/version-5.4/server/security/authentication/assets/cert-enhanced-key-usage.png and b/versioned_docs/version-5.4/server/security/authentication/assets/cert-enhanced-key-usage.png differ diff --git a/versioned_docs/version-5.4/server/security/authentication/assets/cert-key-usage.png b/versioned_docs/version-5.4/server/security/authentication/assets/cert-key-usage.png index 8be2daefb3..143aefb209 100644 Binary files a/versioned_docs/version-5.4/server/security/authentication/assets/cert-key-usage.png and b/versioned_docs/version-5.4/server/security/authentication/assets/cert-key-usage.png differ diff --git a/versioned_docs/version-5.4/server/security/authentication/assets/export_cluster_certificates.png b/versioned_docs/version-5.4/server/security/authentication/assets/export_cluster_certificates.png deleted file mode 100644 index c30b07a6fa..0000000000 Binary files a/versioned_docs/version-5.4/server/security/authentication/assets/export_cluster_certificates.png and /dev/null differ diff --git a/versioned_docs/version-5.4/server/security/authentication/assets/renew_server_certificate.png b/versioned_docs/version-5.4/server/security/authentication/assets/renew_server_certificate.png deleted file mode 100644 index e26270f2a3..0000000000 Binary files a/versioned_docs/version-5.4/server/security/authentication/assets/renew_server_certificate.png and /dev/null differ diff --git a/versioned_docs/version-5.4/server/security/authentication/assets/upload-client-certificate.png b/versioned_docs/version-5.4/server/security/authentication/assets/upload-client-certificate.png deleted file mode 100644 index da88edd677..0000000000 Binary files a/versioned_docs/version-5.4/server/security/authentication/assets/upload-client-certificate.png and /dev/null differ diff --git a/versioned_docs/version-5.4/server/security/authentication/certificate-configuration.mdx b/versioned_docs/version-5.4/server/security/authentication/certificate-configuration.mdx index 84683fd644..a17adac0f3 100644 --- a/versioned_docs/version-5.4/server/security/authentication/certificate-configuration.mdx +++ b/versioned_docs/version-5.4/server/security/authentication/certificate-configuration.mdx @@ -59,16 +59,15 @@ RavenDB will accept `.pfx` server certificates that contain the private key, are and include a basic (`Key Usage`) field and an enhanced (`Enhanced Key Usage`) field. - `Key Usage` - Permissions granted by this field: **Digital Signature**, **Key Encipherment** + Permissions granted by this field: **Digital Signature** ![Key Usage](./assets/cert-key-usage.png) - `Enhanced Key Usage` - Permissions granted by this field: **Server Authentication**, **Client Authentication** + Permissions granted by this field: **Server Authentication** - An `Enhanced Key Usage` field must include these two OIDs: + An `Enhanced Key Usage` field must include this OID: **1.3.6.1.5.5.7.3.1** - Server Authentication - **1.3.6.1.5.5.7.3.2** - Client Authentication ![Enhanced Key Usage](./assets/cert-enhanced-key-usage.png) @@ -258,3 +257,4 @@ In all secure configurations, the `ServerUrl` must contain the same domain name + diff --git a/versioned_docs/version-5.4/server/security/authorization/security-clearance-and-permissions.mdx b/versioned_docs/version-5.4/server/security/authorization/security-clearance-and-permissions.mdx index 5cd15c8360..bc21982f24 100644 --- a/versioned_docs/version-5.4/server/security/authorization/security-clearance-and-permissions.mdx +++ b/versioned_docs/version-5.4/server/security/authorization/security-clearance-and-permissions.mdx @@ -36,10 +36,6 @@ import LanguageContent from "@site/src/components/LanguageContent"; `Cluster Admin` is the highest security clearance. There are no restrictions. A `Cluster Admin` certificate has admin permissions to all databases. It also has the ability to modify the cluster itself. - -The server certificate security clearance is called `Cluster Node`. The server certificate can also be used as a client certificate, and in that case `Cluster Node` is equivalent to `Cluster Admin` in terms of permissions. - - The following operations are allowed **only** for `Cluster Admin` certificates: - All cluster operations diff --git a/versioned_docs/version-5.4/server/security/common-errors-and-faq.mdx b/versioned_docs/version-5.4/server/security/common-errors-and-faq.mdx index 5a3aa53e3e..f1181d38cb 100644 --- a/versioned_docs/version-5.4/server/security/common-errors-and-faq.mdx +++ b/versioned_docs/version-5.4/server/security/common-errors-and-faq.mdx @@ -267,7 +267,7 @@ This server requires client certificate for authentication, but none was provide See [trusting an existing certificate](../../server/administration/cli.mdx#trustclientcert). #### If your browser runs under Windows 7 or Windows Server 2008 or older: -The first thing to try would be installing the **SERVER** certificate to the OS +The first thing to try would be installing the **ADMIN** certificate to the OS where your server is running, closing **all instances** of the browser and restarting it. If the issue persists, please also visit the diff --git a/versioned_docs/version-5.4/start/installation/setup-examples/kubernetes/azure-aks.mdx b/versioned_docs/version-5.4/start/installation/setup-examples/kubernetes/azure-aks.mdx index b8bc6a480b..6167ee1d0e 100644 --- a/versioned_docs/version-5.4/start/installation/setup-examples/kubernetes/azure-aks.mdx +++ b/versioned_docs/version-5.4/start/installation/setup-examples/kubernetes/azure-aks.mdx @@ -49,8 +49,8 @@ There are many tools available online that automate the process of getting the c RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use a self-signed certificate, you must register the CA certificate in the OS. A Docker image can be created based on the RavenDB image: diff --git a/versioned_docs/version-5.4/start/installation/setup-wizard.mdx b/versioned_docs/version-5.4/start/installation/setup-wizard.mdx index 3b0787ba5c..fb935f3a9d 100644 --- a/versioned_docs/version-5.4/start/installation/setup-wizard.mdx +++ b/versioned_docs/version-5.4/start/installation/setup-wizard.mdx @@ -403,8 +403,8 @@ stores on all the relevant machines. RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use the setup wizard to construct a cluster, you must use the same certificate for all nodes. If you wish to use a different certificate for each node, it's possible only through [manual setup](../../start/installation/manual.mdx). A wildcard @@ -512,8 +512,8 @@ If you are setting up a cluster, you will use this Zip file to set up each of yo RavenDB will accept `.pfx` server certificates which contain the private key, are not expired, and have the following fields: -**KeyUsage**: DigitalSignature, KeyEncipherment -**ExtendedKeyUsage**: Client Authentication, Server Authentication +**KeyUsage**: DigitalSignature +**ExtendedKeyUsage**: Server Authentication 1. Place the `.pfx` file in a permanent location in each server/node folder. diff --git a/versioned_docs/version-6.0/server/security/authentication/assets/cert-enhanced-key-usage.png b/versioned_docs/version-6.0/server/security/authentication/assets/cert-enhanced-key-usage.png index 3bfafcbdfe..3f782c73d4 100644 Binary files a/versioned_docs/version-6.0/server/security/authentication/assets/cert-enhanced-key-usage.png and b/versioned_docs/version-6.0/server/security/authentication/assets/cert-enhanced-key-usage.png differ diff --git a/versioned_docs/version-6.0/server/security/authentication/assets/cert-key-usage.png b/versioned_docs/version-6.0/server/security/authentication/assets/cert-key-usage.png index 8be2daefb3..143aefb209 100644 Binary files a/versioned_docs/version-6.0/server/security/authentication/assets/cert-key-usage.png and b/versioned_docs/version-6.0/server/security/authentication/assets/cert-key-usage.png differ diff --git a/versioned_docs/version-6.0/server/security/authentication/assets/export_cluster_certificates.png b/versioned_docs/version-6.0/server/security/authentication/assets/export_cluster_certificates.png deleted file mode 100644 index c30b07a6fa..0000000000 Binary files a/versioned_docs/version-6.0/server/security/authentication/assets/export_cluster_certificates.png and /dev/null differ diff --git a/versioned_docs/version-6.0/server/security/authentication/assets/renew_server_certificate.png b/versioned_docs/version-6.0/server/security/authentication/assets/renew_server_certificate.png deleted file mode 100644 index e26270f2a3..0000000000 Binary files a/versioned_docs/version-6.0/server/security/authentication/assets/renew_server_certificate.png and /dev/null differ diff --git a/versioned_docs/version-6.0/server/security/authentication/assets/upload-client-certificate.png b/versioned_docs/version-6.0/server/security/authentication/assets/upload-client-certificate.png deleted file mode 100644 index da88edd677..0000000000 Binary files a/versioned_docs/version-6.0/server/security/authentication/assets/upload-client-certificate.png and /dev/null differ diff --git a/versioned_docs/version-6.0/server/security/authentication/certificate-configuration.mdx b/versioned_docs/version-6.0/server/security/authentication/certificate-configuration.mdx index 84683fd644..e98487a0f9 100644 --- a/versioned_docs/version-6.0/server/security/authentication/certificate-configuration.mdx +++ b/versioned_docs/version-6.0/server/security/authentication/certificate-configuration.mdx @@ -58,17 +58,16 @@ See [Certificate Management](../../../server/security/authentication/certificate RavenDB will accept `.pfx` server certificates that contain the private key, are not expired, and include a basic (`Key Usage`) field and an enhanced (`Enhanced Key Usage`) field. -- `Key Usage` - Permissions granted by this field: **Digital Signature**, **Key Encipherment** - +- `Key Usage` + Permissions granted by this field: **Digital Signature** + ![Key Usage](./assets/cert-key-usage.png) -- `Enhanced Key Usage` - Permissions granted by this field: **Server Authentication**, **Client Authentication** - - An `Enhanced Key Usage` field must include these two OIDs: - **1.3.6.1.5.5.7.3.1** - Server Authentication - **1.3.6.1.5.5.7.3.2** - Client Authentication +- `Enhanced Key Usage` + Permissions granted by this field: **Server Authentication** + + An `Enhanced Key Usage` field must include this OID: + **1.3.6.1.5.5.7.3.1** - Server Authentication ![Enhanced Key Usage](./assets/cert-enhanced-key-usage.png) diff --git a/versioned_docs/version-6.0/server/security/authorization/security-clearance-and-permissions.mdx b/versioned_docs/version-6.0/server/security/authorization/security-clearance-and-permissions.mdx index 5cd15c8360..bc21982f24 100644 --- a/versioned_docs/version-6.0/server/security/authorization/security-clearance-and-permissions.mdx +++ b/versioned_docs/version-6.0/server/security/authorization/security-clearance-and-permissions.mdx @@ -36,10 +36,6 @@ import LanguageContent from "@site/src/components/LanguageContent"; `Cluster Admin` is the highest security clearance. There are no restrictions. A `Cluster Admin` certificate has admin permissions to all databases. It also has the ability to modify the cluster itself. - -The server certificate security clearance is called `Cluster Node`. The server certificate can also be used as a client certificate, and in that case `Cluster Node` is equivalent to `Cluster Admin` in terms of permissions. - - The following operations are allowed **only** for `Cluster Admin` certificates: - All cluster operations diff --git a/versioned_docs/version-6.0/server/security/common-errors-and-faq.mdx b/versioned_docs/version-6.0/server/security/common-errors-and-faq.mdx index 5a3aa53e3e..f1181d38cb 100644 --- a/versioned_docs/version-6.0/server/security/common-errors-and-faq.mdx +++ b/versioned_docs/version-6.0/server/security/common-errors-and-faq.mdx @@ -267,7 +267,7 @@ This server requires client certificate for authentication, but none was provide See [trusting an existing certificate](../../server/administration/cli.mdx#trustclientcert). #### If your browser runs under Windows 7 or Windows Server 2008 or older: -The first thing to try would be installing the **SERVER** certificate to the OS +The first thing to try would be installing the **ADMIN** certificate to the OS where your server is running, closing **all instances** of the browser and restarting it. If the issue persists, please also visit the diff --git a/versioned_docs/version-6.0/start/installation/setup-examples/kubernetes/azure-aks.mdx b/versioned_docs/version-6.0/start/installation/setup-examples/kubernetes/azure-aks.mdx index b8bc6a480b..6167ee1d0e 100644 --- a/versioned_docs/version-6.0/start/installation/setup-examples/kubernetes/azure-aks.mdx +++ b/versioned_docs/version-6.0/start/installation/setup-examples/kubernetes/azure-aks.mdx @@ -49,8 +49,8 @@ There are many tools available online that automate the process of getting the c RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use a self-signed certificate, you must register the CA certificate in the OS. A Docker image can be created based on the RavenDB image: diff --git a/versioned_docs/version-6.0/start/installation/setup-wizard.mdx b/versioned_docs/version-6.0/start/installation/setup-wizard.mdx index 3b0787ba5c..fb935f3a9d 100644 --- a/versioned_docs/version-6.0/start/installation/setup-wizard.mdx +++ b/versioned_docs/version-6.0/start/installation/setup-wizard.mdx @@ -403,8 +403,8 @@ stores on all the relevant machines. RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use the setup wizard to construct a cluster, you must use the same certificate for all nodes. If you wish to use a different certificate for each node, it's possible only through [manual setup](../../start/installation/manual.mdx). A wildcard @@ -512,8 +512,8 @@ If you are setting up a cluster, you will use this Zip file to set up each of yo RavenDB will accept `.pfx` server certificates which contain the private key, are not expired, and have the following fields: -**KeyUsage**: DigitalSignature, KeyEncipherment -**ExtendedKeyUsage**: Client Authentication, Server Authentication +**KeyUsage**: DigitalSignature +**ExtendedKeyUsage**: Server Authentication 1. Place the `.pfx` file in a permanent location in each server/node folder. diff --git a/versioned_docs/version-6.2/server/security/authentication/assets/cert-enhanced-key-usage.png b/versioned_docs/version-6.2/server/security/authentication/assets/cert-enhanced-key-usage.png index 3bfafcbdfe..3f782c73d4 100644 Binary files a/versioned_docs/version-6.2/server/security/authentication/assets/cert-enhanced-key-usage.png and b/versioned_docs/version-6.2/server/security/authentication/assets/cert-enhanced-key-usage.png differ diff --git a/versioned_docs/version-6.2/server/security/authentication/assets/cert-key-usage.png b/versioned_docs/version-6.2/server/security/authentication/assets/cert-key-usage.png index 8be2daefb3..143aefb209 100644 Binary files a/versioned_docs/version-6.2/server/security/authentication/assets/cert-key-usage.png and b/versioned_docs/version-6.2/server/security/authentication/assets/cert-key-usage.png differ diff --git a/versioned_docs/version-6.2/server/security/authentication/assets/export_cluster_certificates.png b/versioned_docs/version-6.2/server/security/authentication/assets/export_cluster_certificates.png deleted file mode 100644 index c30b07a6fa..0000000000 Binary files a/versioned_docs/version-6.2/server/security/authentication/assets/export_cluster_certificates.png and /dev/null differ diff --git a/versioned_docs/version-6.2/server/security/authentication/assets/renew_server_certificate.png b/versioned_docs/version-6.2/server/security/authentication/assets/renew_server_certificate.png deleted file mode 100644 index e26270f2a3..0000000000 Binary files a/versioned_docs/version-6.2/server/security/authentication/assets/renew_server_certificate.png and /dev/null differ diff --git a/versioned_docs/version-6.2/server/security/authentication/assets/upload-client-certificate.png b/versioned_docs/version-6.2/server/security/authentication/assets/upload-client-certificate.png deleted file mode 100644 index da88edd677..0000000000 Binary files a/versioned_docs/version-6.2/server/security/authentication/assets/upload-client-certificate.png and /dev/null differ diff --git a/versioned_docs/version-6.2/server/security/authentication/certificate-configuration.mdx b/versioned_docs/version-6.2/server/security/authentication/certificate-configuration.mdx index 84683fd644..e98487a0f9 100644 --- a/versioned_docs/version-6.2/server/security/authentication/certificate-configuration.mdx +++ b/versioned_docs/version-6.2/server/security/authentication/certificate-configuration.mdx @@ -58,17 +58,16 @@ See [Certificate Management](../../../server/security/authentication/certificate RavenDB will accept `.pfx` server certificates that contain the private key, are not expired, and include a basic (`Key Usage`) field and an enhanced (`Enhanced Key Usage`) field. -- `Key Usage` - Permissions granted by this field: **Digital Signature**, **Key Encipherment** - +- `Key Usage` + Permissions granted by this field: **Digital Signature** + ![Key Usage](./assets/cert-key-usage.png) -- `Enhanced Key Usage` - Permissions granted by this field: **Server Authentication**, **Client Authentication** - - An `Enhanced Key Usage` field must include these two OIDs: - **1.3.6.1.5.5.7.3.1** - Server Authentication - **1.3.6.1.5.5.7.3.2** - Client Authentication +- `Enhanced Key Usage` + Permissions granted by this field: **Server Authentication** + + An `Enhanced Key Usage` field must include this OID: + **1.3.6.1.5.5.7.3.1** - Server Authentication ![Enhanced Key Usage](./assets/cert-enhanced-key-usage.png) diff --git a/versioned_docs/version-6.2/server/security/authorization/security-clearance-and-permissions.mdx b/versioned_docs/version-6.2/server/security/authorization/security-clearance-and-permissions.mdx index 5cd15c8360..bc21982f24 100644 --- a/versioned_docs/version-6.2/server/security/authorization/security-clearance-and-permissions.mdx +++ b/versioned_docs/version-6.2/server/security/authorization/security-clearance-and-permissions.mdx @@ -36,10 +36,6 @@ import LanguageContent from "@site/src/components/LanguageContent"; `Cluster Admin` is the highest security clearance. There are no restrictions. A `Cluster Admin` certificate has admin permissions to all databases. It also has the ability to modify the cluster itself. - -The server certificate security clearance is called `Cluster Node`. The server certificate can also be used as a client certificate, and in that case `Cluster Node` is equivalent to `Cluster Admin` in terms of permissions. - - The following operations are allowed **only** for `Cluster Admin` certificates: - All cluster operations diff --git a/versioned_docs/version-6.2/server/security/common-errors-and-faq.mdx b/versioned_docs/version-6.2/server/security/common-errors-and-faq.mdx index 5a3aa53e3e..f1181d38cb 100644 --- a/versioned_docs/version-6.2/server/security/common-errors-and-faq.mdx +++ b/versioned_docs/version-6.2/server/security/common-errors-and-faq.mdx @@ -267,7 +267,7 @@ This server requires client certificate for authentication, but none was provide See [trusting an existing certificate](../../server/administration/cli.mdx#trustclientcert). #### If your browser runs under Windows 7 or Windows Server 2008 or older: -The first thing to try would be installing the **SERVER** certificate to the OS +The first thing to try would be installing the **ADMIN** certificate to the OS where your server is running, closing **all instances** of the browser and restarting it. If the issue persists, please also visit the diff --git a/versioned_docs/version-6.2/start/installation/setup-examples/kubernetes/azure-aks.mdx b/versioned_docs/version-6.2/start/installation/setup-examples/kubernetes/azure-aks.mdx index b8bc6a480b..6167ee1d0e 100644 --- a/versioned_docs/version-6.2/start/installation/setup-examples/kubernetes/azure-aks.mdx +++ b/versioned_docs/version-6.2/start/installation/setup-examples/kubernetes/azure-aks.mdx @@ -49,8 +49,8 @@ There are many tools available online that automate the process of getting the c RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use a self-signed certificate, you must register the CA certificate in the OS. A Docker image can be created based on the RavenDB image: diff --git a/versioned_docs/version-6.2/start/installation/setup-wizard.mdx b/versioned_docs/version-6.2/start/installation/setup-wizard.mdx index 3b0787ba5c..fb935f3a9d 100644 --- a/versioned_docs/version-6.2/start/installation/setup-wizard.mdx +++ b/versioned_docs/version-6.2/start/installation/setup-wizard.mdx @@ -403,8 +403,8 @@ stores on all the relevant machines. RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use the setup wizard to construct a cluster, you must use the same certificate for all nodes. If you wish to use a different certificate for each node, it's possible only through [manual setup](../../start/installation/manual.mdx). A wildcard @@ -512,8 +512,8 @@ If you are setting up a cluster, you will use this Zip file to set up each of yo RavenDB will accept `.pfx` server certificates which contain the private key, are not expired, and have the following fields: -**KeyUsage**: DigitalSignature, KeyEncipherment -**ExtendedKeyUsage**: Client Authentication, Server Authentication +**KeyUsage**: DigitalSignature +**ExtendedKeyUsage**: Server Authentication 1. Place the `.pfx` file in a permanent location in each server/node folder. diff --git a/versioned_docs/version-7.0/server/security/authentication/assets/cert-enhanced-key-usage.png b/versioned_docs/version-7.0/server/security/authentication/assets/cert-enhanced-key-usage.png index 3bfafcbdfe..3f782c73d4 100644 Binary files a/versioned_docs/version-7.0/server/security/authentication/assets/cert-enhanced-key-usage.png and b/versioned_docs/version-7.0/server/security/authentication/assets/cert-enhanced-key-usage.png differ diff --git a/versioned_docs/version-7.0/server/security/authentication/assets/cert-key-usage.png b/versioned_docs/version-7.0/server/security/authentication/assets/cert-key-usage.png index 8be2daefb3..143aefb209 100644 Binary files a/versioned_docs/version-7.0/server/security/authentication/assets/cert-key-usage.png and b/versioned_docs/version-7.0/server/security/authentication/assets/cert-key-usage.png differ diff --git a/versioned_docs/version-7.0/server/security/authentication/assets/export_cluster_certificates.png b/versioned_docs/version-7.0/server/security/authentication/assets/export_cluster_certificates.png deleted file mode 100644 index c30b07a6fa..0000000000 Binary files a/versioned_docs/version-7.0/server/security/authentication/assets/export_cluster_certificates.png and /dev/null differ diff --git a/versioned_docs/version-7.0/server/security/authentication/assets/renew_server_certificate.png b/versioned_docs/version-7.0/server/security/authentication/assets/renew_server_certificate.png deleted file mode 100644 index e26270f2a3..0000000000 Binary files a/versioned_docs/version-7.0/server/security/authentication/assets/renew_server_certificate.png and /dev/null differ diff --git a/versioned_docs/version-7.0/server/security/authentication/assets/upload-client-certificate.png b/versioned_docs/version-7.0/server/security/authentication/assets/upload-client-certificate.png deleted file mode 100644 index da88edd677..0000000000 Binary files a/versioned_docs/version-7.0/server/security/authentication/assets/upload-client-certificate.png and /dev/null differ diff --git a/versioned_docs/version-7.0/server/security/authentication/certificate-configuration.mdx b/versioned_docs/version-7.0/server/security/authentication/certificate-configuration.mdx index 84683fd644..e98487a0f9 100644 --- a/versioned_docs/version-7.0/server/security/authentication/certificate-configuration.mdx +++ b/versioned_docs/version-7.0/server/security/authentication/certificate-configuration.mdx @@ -58,17 +58,16 @@ See [Certificate Management](../../../server/security/authentication/certificate RavenDB will accept `.pfx` server certificates that contain the private key, are not expired, and include a basic (`Key Usage`) field and an enhanced (`Enhanced Key Usage`) field. -- `Key Usage` - Permissions granted by this field: **Digital Signature**, **Key Encipherment** - +- `Key Usage` + Permissions granted by this field: **Digital Signature** + ![Key Usage](./assets/cert-key-usage.png) -- `Enhanced Key Usage` - Permissions granted by this field: **Server Authentication**, **Client Authentication** - - An `Enhanced Key Usage` field must include these two OIDs: - **1.3.6.1.5.5.7.3.1** - Server Authentication - **1.3.6.1.5.5.7.3.2** - Client Authentication +- `Enhanced Key Usage` + Permissions granted by this field: **Server Authentication** + + An `Enhanced Key Usage` field must include this OID: + **1.3.6.1.5.5.7.3.1** - Server Authentication ![Enhanced Key Usage](./assets/cert-enhanced-key-usage.png) diff --git a/versioned_docs/version-7.0/server/security/authorization/security-clearance-and-permissions.mdx b/versioned_docs/version-7.0/server/security/authorization/security-clearance-and-permissions.mdx index 5cd15c8360..bc21982f24 100644 --- a/versioned_docs/version-7.0/server/security/authorization/security-clearance-and-permissions.mdx +++ b/versioned_docs/version-7.0/server/security/authorization/security-clearance-and-permissions.mdx @@ -36,10 +36,6 @@ import LanguageContent from "@site/src/components/LanguageContent"; `Cluster Admin` is the highest security clearance. There are no restrictions. A `Cluster Admin` certificate has admin permissions to all databases. It also has the ability to modify the cluster itself. - -The server certificate security clearance is called `Cluster Node`. The server certificate can also be used as a client certificate, and in that case `Cluster Node` is equivalent to `Cluster Admin` in terms of permissions. - - The following operations are allowed **only** for `Cluster Admin` certificates: - All cluster operations diff --git a/versioned_docs/version-7.0/server/security/common-errors-and-faq.mdx b/versioned_docs/version-7.0/server/security/common-errors-and-faq.mdx index 5a3aa53e3e..f1181d38cb 100644 --- a/versioned_docs/version-7.0/server/security/common-errors-and-faq.mdx +++ b/versioned_docs/version-7.0/server/security/common-errors-and-faq.mdx @@ -267,7 +267,7 @@ This server requires client certificate for authentication, but none was provide See [trusting an existing certificate](../../server/administration/cli.mdx#trustclientcert). #### If your browser runs under Windows 7 or Windows Server 2008 or older: -The first thing to try would be installing the **SERVER** certificate to the OS +The first thing to try would be installing the **ADMIN** certificate to the OS where your server is running, closing **all instances** of the browser and restarting it. If the issue persists, please also visit the diff --git a/versioned_docs/version-7.0/start/installation/setup-examples/kubernetes/azure-aks.mdx b/versioned_docs/version-7.0/start/installation/setup-examples/kubernetes/azure-aks.mdx index b8bc6a480b..6167ee1d0e 100644 --- a/versioned_docs/version-7.0/start/installation/setup-examples/kubernetes/azure-aks.mdx +++ b/versioned_docs/version-7.0/start/installation/setup-examples/kubernetes/azure-aks.mdx @@ -49,8 +49,8 @@ There are many tools available online that automate the process of getting the c RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use a self-signed certificate, you must register the CA certificate in the OS. A Docker image can be created based on the RavenDB image: diff --git a/versioned_docs/version-7.0/start/installation/setup-wizard.mdx b/versioned_docs/version-7.0/start/installation/setup-wizard.mdx index 3b0787ba5c..fb935f3a9d 100644 --- a/versioned_docs/version-7.0/start/installation/setup-wizard.mdx +++ b/versioned_docs/version-7.0/start/installation/setup-wizard.mdx @@ -403,8 +403,8 @@ stores on all the relevant machines. RavenDB will accept PFX server certificates which contain the private key, are not expired, and have the following fields: -- KeyUsage: DigitalSignature, KeyEncipherment -- ExtendedKeyUsage: Client Authentication, Server Authentication +- KeyUsage: DigitalSignature +- ExtendedKeyUsage: Server Authentication If you wish to use the setup wizard to construct a cluster, you must use the same certificate for all nodes. If you wish to use a different certificate for each node, it's possible only through [manual setup](../../start/installation/manual.mdx). A wildcard @@ -512,8 +512,8 @@ If you are setting up a cluster, you will use this Zip file to set up each of yo RavenDB will accept `.pfx` server certificates which contain the private key, are not expired, and have the following fields: -**KeyUsage**: DigitalSignature, KeyEncipherment -**ExtendedKeyUsage**: Client Authentication, Server Authentication +**KeyUsage**: DigitalSignature +**ExtendedKeyUsage**: Server Authentication 1. Place the `.pfx` file in a permanent location in each server/node folder.