Ability to invalidate or revoke a X.509 certificate that was not expired.
Currently, X.509 certificates can be issued for authentication and authorization. However, it is not possible to invalidate an already issued certificate. In a situation where the certificate would be compromised, it is therefore not possible to invalidate it and re-issue a new one. The only way is to delete the user associated with the certificate and create a new user account (New CN).
Geoffrey
shared this idea
-
Geoffrey
commented
Hi Salman,
Sorry, I hadn't seen your question.
We have opened a ticket regarding this issue already. See https://support.mongodb.com/case/01056829
In fact, an example scenario.
An X system's IT team creates and manages X.509 certificates for application authentication.
Security Team issues root certificates and intermediate certificates.
In the situation that the Security team detects that a certificate is compromised, this team could decide to revoke the intermediate certificate to avoid any data leakage. This team does not have access to the MongoDB Atlas portal because they do not manage the databases. As a result of this action, it is expected that all X.509 certificates issued under this authority chain will be unable to connect to MongoDB clusters.
-
Jace
commented
We would also like to have this feature so we can clean up older certificates. I'm surprised this isn't already a feature.
-
George
commented
There is a scenario where we have multiple certificates attached to the same User and want to do some cleanup.
-
AdminSalman
(Admin, MongoDB)
commented
Hi Geoffrey,
Thank you for sharing the suggestion. Could you share here or in an email (product.security@mongodb.com) the scenario under which deleting a user is not feasible when a certificate is compromised?
Salman