SERVER-56346 Change certificate definitions to match OSX requirements

author: Gabriel Marks <gabriel.marks@mongodb.com> 2022-01-25 18:07:53 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2022-02-03 22:38:30 +0000
commit: 58a819a56aadb91e7cd62b8c2e2e493ce85fc0e1 (patch)
tree: b728f0b50a4de4242dbbc7ae14ae6af0f163ef88 /jstests/ssl
parent: d4baf64a2da1a785d428888f3ce047367ccc2a7a (diff)
download: mongo-58a819a56aadb91e7cd62b8c2e2e493ce85fc0e1.tar.gz
19 files changed, 310 insertions, 168 deletions
diff --git a/jstests/ssl/libs/localhost-cn-with-san.pem b/jstests/ssl/libs/localhost-cn-with-san.pem
index 556ffb85b0a..d91b1ae5069 100644
--- a/jstests/ssl/libs/localhost-cn-with-san.pem
+++ b/jstests/ssl/libs/localhost-cn-with-san.pem
@@ -3,51 +3,52 @@
 #
 # Localhost based certificate using non-matching subject alternate name.
 -----BEGIN CERTIFICATE-----
-MIIDdjCCAl4CBA3WteIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCVVMxETAP
-BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK
-DAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxFzAVBgNVBAMMDktlcm5lbCBUZXN0
-IENBMB4XDTE5MDkyNTIzMjc0MFoXDTM5MDkyNzIzMjc0MFowbzELMAkGA1UEBhMC
-VVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAw
-DgYDVQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2Fs
-aG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMn0WG6/vxv4bmh+
-lv1axKQM/fIiRavdIFqJOYw84Km+fahcUTgFY2oOEAxQ+y8nN/2rpXrZYlL5etqs
-iv/1m0EZDFl+SCOvxULrmyd2GhFJeaJu+O714e1lxpBPDT2LWKCa3g4qK+krKWMU
-glaAGJKrYmyfhKdMUN0XN/ISxIuwzZCbSQ6/N70cU4CFZyzmxixSyW7xZR+wsIgg
-pX1BrMbsGLcGoVknWt2yrp/qFKRrBda/b3k+gs6zSvpJvt1dTNuGG4drPF+pfvA5
-4NPelXvccdmz86Fg7YULE/hCbrDfzngkMgqD3Em9sXarlA7GO+tCxp2uyV52FBq3
-dLe9Jq0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcN
-AQELBQADggEBAIpIUe0R7nHDGxABrK9nAIVF2etluEZZz18RnaPn5cLzjwbhbDQy
-gKTHt7nv2xWDlRqPv4GwcsyqpK9Sr4tjFgwBVzGlNEUSh8cLFmWOVz+9yZnk/mGm
-Y35jqFM1VgnWGU+NuC71IEfUJsNV1intMECHY0IaglmjDAZCJ2nWDfNT+qrS7zpJ
-+c/El6XYx9Wx9BoWlEY+4Z/ipabXzivDwKw4G1UoQvVmmU6NywVhQmSudiySBSce
-JEPIa+RCCq+ahtSWilpDXqpKvieY0M2go46MHgUgUfOMnsUTlTgFjgRVMqkXnccI
-alfeM9ukvz0JXRYERI8GCTVG+35vSw13MGs=
+MIIDkDCCAnigAwIBAgIEV9X0HjANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjIwMTI3MjE1OTQ0WhcNMjQwNDMwMjE1OTQ0WjBvMQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDESMBAGA1UEAwwJ
+bG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5uaoVP0l
+xsKbPIr8qNsd7OQ2Vks2WzaPiwiyQ7uRd8+kRymJE/F+nKAgZvUFebjT70FJs/kI
+D1dQqcAn3OxOZFSCv62i0Owp7oLrQ3fiQR2xwuQVFa2D8hV9z8vLc7CZyiKdi4EU
+EZOv8N1K8KxThV7E12YI5OVXQl+oniXwbDf4Dkiex7go4mgIqv9SBDjBLvWheCkP
+WTSGULtsL8Dg42neqR7Uh/4Iawm7ka0czwluM0GrLjDAirdw6OOBYNuc3Be1XhjK
+/5zY6JOt6yeHce2jjte7YzLoCBv0hm1sVyIkocrxPi6kvC8crw+RGI0m9ijZIq0K
+N90aMGwVq32jkwIDAQABoy8wLTATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE
+DzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAKroMjfypcbZ5Nq6x
+chBMOgVZRMtleqosP51zBk8KTkLSyfQCYbwM+lq+Us4Y5zzLHjHUmQltJi5Yn4l6
+Voe33UEAi5xA0SEPGBvG2uzGzeY6ShQl+BhfUxgMWxaitm8/Hr0wnpm8AqOglskb
+9GozqQHfWISwY+9JDxR7aLaFofgRhR2iZEqbELkz+1KwOoUtHm8HMvS+k6tZziTE
+fO6Ergg8iCVixvtV0EOKUMqmiUSXH0ZT6uOw/z1XFloJSolg95g07z5LgCRMe+zT
+zwNOmnHdJwJTDYjXMQS1sEdvjQvBKObJ4xIKhkwqrTOx+PY40yBNYN2iPIViWEOv
+sHxp0A==
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
-MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDJ9Fhuv78b+G5o
-fpb9WsSkDP3yIkWr3SBaiTmMPOCpvn2oXFE4BWNqDhAMUPsvJzf9q6V62WJS+Xra
-rIr/9ZtBGQxZfkgjr8VC65sndhoRSXmibvju9eHtZcaQTw09i1igmt4OKivpKylj
-FIJWgBiSq2Jsn4SnTFDdFzfyEsSLsM2Qm0kOvze9HFOAhWcs5sYsUslu8WUfsLCI
-IKV9QazG7Bi3BqFZJ1rdsq6f6hSkawXWv295PoLOs0r6Sb7dXUzbhhuHazxfqX7w
-OeDT3pV73HHZs/OhYO2FCxP4Qm6w3854JDIKg9xJvbF2q5QOxjvrQsadrsledhQa
-t3S3vSatAgMBAAECggEADsKzK/ULzMmNmEmYU5Asyyi/7tCecv9IfBWHhT511TI9
-EO8eaI/MQlYgyiWpFjsxlnLTN3VoAFSHrC/sQOT8ofdotanLMACK1GdQAcRaB2Vt
-ZHfj7eM+zhEgQC/m8dabdbGcBUED0Jj8/2biV9wo759jJDlMgsXLKz2lMyY4A1WZ
-kwCrdTqSn+TqA4+t7RdteY1YQZIV/qKNABT9CCRyH9Hqr5MyByYGiLtsrimI8WH/
-/UlE4R8/dHI5yA/FrtNgPM7QB1UElMBHaixWGUJTWSIcZtGuZ82N+uVjgVREfeML
-3RmDfwRAsgy3oz2zisQmz2qJDDdO1qJSn34ezOmYqQKBgQDmlAK0TnoxlYExmHWg
-fqm1Ee2n6rls14y0lm1GP0NoTOakSiZ9yBbQwYNNR7/P7YCppTt4/EdO2Skgpqg6
-KEd8ur2zsjWSEbMb/Pd0OB+pLUKjfrMQ+Kft8lalpcO5OcF2RmQnLTZAn9Endx/l
-TikvmB3Pq3r5RcfNAMDrrNrN9wKBgQDgOHDmht5Pq2zasVnFW1OydCNneuameREV
-kFM4D2raUkGbQNft/yhkjStZkEVAmooWHLYxJkWFo5KY8RpRJ50vW01UzH7jnA13
-PCvbJ1ITxzNuUbMcg4b8V6D0pM/Y8b7Me24iI1RAJntAx/+doAdRnLggYQcTp1Dl
-ahce8/0XewKBgDSqT+fRGPXkWQrz8MIEzExwWOEGqu2iWiART8pAvuu+zNtvmFUY
-c6Wg3ZW0MqqSa9XTyL68mKj4zv0HM9t8wb9Kg/PcW4IOiuN0pyyjeQ/SJ6tiUBIr
-SWf+9y2ErCzNdVPHhi6wk/i0yDgEbIOak6usSfraBw+Ska1QY8AwzhVHAn9UFNZB
-nFHBjodDez4uxBCe2u5r36qewselTnnmi+GF/VKc5bQTi5uaGVYoP/G4SDuAD0RD
-KhboBm7y63by9+f52kMliYoL0Hk8PVQ02ons4MZomDqSdsAn4LR7CVLoB7+E7sRe
-COGPLN8La/RvJ5OXBy4E9l2xAQ1U+nOxJ83BAoGBANHLPoIQ2lug421Kqc07P9rI
-66CVYX8XQrpqFHPytFQv7SQkUU+cp+7qpo33b62FkV5qi+oZ+bqyQ6Ung5Ro7R4q
-2JFLdxRw1nKVCFog/WFvs9XSw8tJUW4pnEcXLBtbWpozmhe5ZhgFes1LldPSgYXK
-XC6Jr1/6OJQGM4wklSiS
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDm5qhU/SXGwps8
+ivyo2x3s5DZWSzZbNo+LCLJDu5F3z6RHKYkT8X6coCBm9QV5uNPvQUmz+QgPV1Cp
+wCfc7E5kVIK/raLQ7CnugutDd+JBHbHC5BUVrYPyFX3Py8tzsJnKIp2LgRQRk6/w
+3UrwrFOFXsTXZgjk5VdCX6ieJfBsN/gOSJ7HuCjiaAiq/1IEOMEu9aF4KQ9ZNIZQ
+u2wvwODjad6pHtSH/ghrCbuRrRzPCW4zQasuMMCKt3Do44Fg25zcF7VeGMr/nNjo
+k63rJ4dx7aOO17tjMugIG/SGbWxXIiShyvE+LqS8LxyvD5EYjSb2KNkirQo33Row
+bBWrfaOTAgMBAAECggEBAMqFgRuaNeoRgqsllNpd5e+Dcw1ZRsHWJyzhYcn62Gpn
+20T3b13osQ6bfBAR1M2giXMOpqCOSr157iwVeGFTeqaRYWTR3T62BUlH1yYEHpTS
+gLnZ54xt9o78vq7lpvs/6IPcvKZBfuKz0NvInRRfcZpHNwteWWq6pUB4OqMLz8Z5
+3j9mo+69izUOaTbLptXngV9c0TYi2J7JHVwV7nxZga4sbq5btxN7gTv/M6dKKEvl
+CB7p/aD+EVMUgIICw++FvykgOfCXVbUEWld97k68R+UY805xec15ovAIIwzPWViG
+ry8yVUewVM6a03AOHEV9lOtfyJOm683EnflvFVG3nDECgYEA8zDwjk+gDfbEC0+1
+C1zsC9ojyg3tve80chrnpwQfL8hrrdUWq0eHpL1boA1vYvgl5Uukqkj6xKFaJXFZ
+0QaDB6xTemxpeXX/+KffjgZbglvpm4Yr5C/tCv6U0lUx19ReQB9L+Qqpzg5kJvDc
+xc7eSFW3RPo7bZJJLUwLq3Np1GcCgYEA8xAA+3N2+/TjTOae4Ks1VtcvBn5shs4Z
+kg3IraLznpkL1SlQ4asxr3iy0ie7gWUIKS4TwELDjXnNprfgmJZfZMgE2MZfZwCO
+9P0/p+BCtqubekVFnMGezul3XzzT+wPCGoOlqz5VeiW6ognm9RBm5e0jz42j13dp
+B5z/wFatm/UCgYBVF1OkR8IWALjZyFrtjebdwsbxBOyhn5f3MOjLLIsI+hSLL1sO
+NSoF/2eW2fyWYYNI9q24E28C6/4RydaGZ8PjJG3VESfaouochAiZtinAtA5KJ6kl
+34sOZMOH0N1uylTsFMdNbWi6u5hZc7+byuVF5BALJ48xqJTIL6qJpAlskwKBgE3j
+Xf011fYNVl1JNbZXBsOqNvaEwrA8ETOdWSZTJnA3KPSIxdNa8ZQCQINZmhtvzbqs
+ekXM3y9RzdXT7JPY8/6uneb9QosWQbk+Ag0Ar0AsI6l90z3VSdeSNt989YzlemjW
+sNr8IZX/yxurwqfbNq4NXMFg6RTdvfljlQ0EeaOVAoGAR002FIKL1Z/3DqbVV+tQ
+FlOksFDTshG1Y9mDQAfTCSlNBeGDz/bQnSo1WWj/DXVLoHxpBglvFmWSajmOUa1R
+W4JDOK/W949pPYfP1QRvbJVGmZ/Y8u90GZbBjWQF+E9yLicESOpN/BH45FIbxQHQ
+2wH/9G1OCozBqCVXGhJw7CA=
 -----END PRIVATE KEY-----
diff --git a/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha1 b/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha1
new file mode 100644
index 00000000000..1127761edbf
--- /dev/null
+++ b/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha1
@@ -0,0 +1 @@
+A8FBDA18A45E8945D1D6E08E77B3070314B80458
+\ No newline at end of file
diff --git a/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha256 b/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha256
new file mode 100644
index 00000000000..4bb65aa4d90
--- /dev/null
+++ b/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha256
@@ -0,0 +1 @@
+5926109C2D0A4565771FFA92814319B5946DF5710A4F99A77FFF9A7881681376
+\ No newline at end of file
diff --git a/jstests/ssl/ssl_cert_selector.js b/jstests/ssl/ssl_cert_selector.js
index 11c97eff270..f53c784f799 100644
--- a/jstests/ssl/ssl_cert_selector.js
+++ b/jstests/ssl/ssl_cert_selector.js
@@ -42,14 +42,10 @@ requireSSLProvider('windows', function() {
         assert.eq(exitStatus, 0, "successfully connected with SSL");
     };
 
+    const trusted_client_thumbprint = cat('jstests/libs/trusted-client.pem.digest.sha1');
+
     assert.doesNotThrow(function() {
-        try {
-            // trusted-client.pfx
-            testWithCert("thumbprint=6AE38B35F4551B6BDCDB89AFABE0B277046F2735");
-        } catch (e) {
-            // Transitional: Pre Oct-2019 trusted-client.pfx
-            testWithCert("thumbprint=9ca511552f14d3fc2009d425873599bf77832238");
-        }
+        testWithCert("thumbprint=" + trusted_client_thumbprint);
     });
 
     assert.doesNotThrow(function() {
diff --git a/jstests/ssl/ssl_cert_selector_apple.js b/jstests/ssl/ssl_cert_selector_apple.js
index 0f23f04eed6..7e059316095 100644
--- a/jstests/ssl/ssl_cert_selector_apple.js
+++ b/jstests/ssl/ssl_cert_selector_apple.js
@@ -20,12 +20,54 @@ requireSSLProvider('apple', function() {
         'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Server';
     const INVALID = null;
 
+    function getCertificateSHA1BySubject(subject) {
+        clearRawMongoProgramOutput();
+        // security find-certificate prints out info about certificates matching the given search
+        // criteria. In this case, we use -c, matching common name, and -Z, which includes SHA-1 and
+        // SHA-256 thumbprints in the output.
+        assert.eq(0, runNonMongoProgram("security", "find-certificate", "-c", subject, "-Z"));
+        const out = rawMongoProgramOutput();
+
+        const kSearchStr = "SHA-1 hash: ";
+        const kHashHexitLen = 40;
+
+        const searchIdx = out.indexOf(kSearchStr);
+        assert.neq(searchIdx, -1, "SHA-1 hash not found in command output!");
+
+        return out.substr(searchIdx + searchStr.length, kHashHexitLen);
+    }
+
+    // Using the thumbprint of the certificate stored in the keychain should always work as a
+    // selector.
+    const trusted_server_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Server");
+    const trusted_client_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Client");
+
+    const expected_server_thumbprint = cat("jstests/libs/trusted-server.pem.digest.sha1");
+    const expected_client_thumbprint = cat("jstests/libs/trusted-client.pem.digest.sha1");
+
+    // If we fall into this case, our trusted certificates are not installed on the machine's
+    // certificate keychain. This probably means that certificates have just been renewed, but have
+    // not been installed in MacOS machines yet.
+    if (expected_server_thumbprint !== trusted_server_thumbprint ||
+        expected_client_thumbprint !== trusted_client_thumbprint) {
+        print("****************");
+        print("****************");
+        print(
+            "macOS host has an unexpected version of the trusted server certificate (jstests/libs/trusted-server.pem) or trusted client certificate (jstests/libs/trusted-client.pem) installed.");
+        print("Expecting server thumbprint: " + expected_server_thumbprint +
+              ", got: " + trusted_server_thumbprint);
+        print("Expecting client thumbprint: " + expected_client_thumbprint +
+              ", got: " + trusted_client_thumbprint);
+        print("****************");
+        print("****************");
+    }
+
     const testCases = [
-        {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A8', name: SERVER},
+        {selector: 'thumbprint=' + trusted_server_thumbprint, name: SERVER},
         {selector: 'subject=Trusted Kernel Test Server', name: SERVER},
-        {selector: 'thumbprint=9CA511552F14D3FC2009D425873599BF77832238', name: CLIENT},
+        {selector: 'thumbprint=' + trusted_client_thumbprint, name: CLIENT},
         {selector: 'subject=Trusted Kernel Test Client', name: CLIENT},
-        {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A9', name: INVALID},
+        {selector: 'thumbprint=DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF', name: INVALID},
         {selector: 'subject=Unknown Test Client', name: INVALID}
     ];
 
diff --git a/jstests/ssl/tlsCATrusts.js b/jstests/ssl/tlsCATrusts.js
index bf12c80f78e..2b787ef7971 100644
--- a/jstests/ssl/tlsCATrusts.js
+++ b/jstests/ssl/tlsCATrusts.js
@@ -6,8 +6,8 @@ requireSSLProvider('openssl', function() {
 
     const SERVER_CERT = 'jstests/libs/server.pem';
     const COMBINED_CA_CERT = 'jstests/ssl/x509/root-and-trusted-ca.pem';
-    const CA_HASH = '539D91F8202641BF85C0C36C88FF69F3062D4AB370CECBF9B950A8B97DE72EAE';
-    const TRUSTED_CA_HASH = 'AEAEBB1BA947A7C1428D39EF6166B83409D0245D28013C9FDD71DF9E69BEA52B';
+    const CA_HASH = cat('jstests/libs/ca.pem.digest.sha256');
+    const TRUSTED_CA_HASH = cat('jstests/libs/trusted-ca.pem.digest.sha256');
 
     // Common suffix, keep the lines short.
     const RDN_SUFFIX = ',O=MongoDB,L=New York City,ST=New York,C=US';
diff --git a/jstests/ssl/x509/README b/jstests/ssl/x509/README
index 72378a9b15e..346e06f750d 100644
--- a/jstests/ssl/x509/README
+++ b/jstests/ssl/x509/README
@@ -35,8 +35,10 @@ certs:
     serial: 42
     # Optional, validity start date, currently expressed in seconds relative to now.
     not_before: -86400 # 1 day ago
-    # Optional, validity end date, currently expressed in seconds relative to now.
-    not_after: 631152000 # 20 years from now
+    # Optional, validity end date, currently expressed in seconds relative to now. 
+    # Note that not_after - not_before, the validity period, should be less than or equal to 825 days, see:
+    # https://support.apple.com/en-us/HT210176
+    not_after: 71107200 # 823 days from now
     # Optional, where to store this certificate (overrides global)
     output_path: 'jstests/ssl/libs/'
     # Optional, IDs of other public keys to append to the file
diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml
index 68ecf419e26..b2f50d283ba 100644
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@@ -213,6 +213,7 @@ certs:
   not_before: -10000000
   not_after: -1000000
   extensions:
+    extendedKeyUsage: [serverAuth]
     subjectAltName:
       DNS: localhost
       IP: 127.0.0.1
@@ -226,7 +227,8 @@ certs:
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [serverAuth]
     subjectAltName:
-      DNS: ['localhost', '127.0.0.1']
+      DNS: localhost
+      IP: 127.0.0.1
 
 - name: 'localhost-cn-with-san.pem'
   description: Localhost based certificate using non-matching subject alternate name.
@@ -234,6 +236,7 @@ certs:
   Subject: {CN: 'localhost'}
   Issuer: 'ca.pem'
   extensions:
+    extendedKeyUsage: [serverAuth]
     subjectAltName:
       DNS: 'example.com'
 
@@ -246,17 +249,22 @@ certs:
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [serverAuth]
     subjectAltName:
-      DNS: ['*.example.com', 'localhost', '127.0.0.1', 'morefun!']
+      DNS: ['*.example.com', 'localhost', 'morefun!']
+      IP: 127.0.0.1
 
 - name: 'not_yet_valid.pem'
   description: A certificate which has yet to reach its validity date.
   Subject: {CN: 'not_yet_valid'}
   not_before: 630720000 # 20 years hence
-  not_after: 1261440000 # a further 20
+  not_after: 701913600 # a further 824 days after
   extensions:
+    extendedKeyUsage: [serverAuth]
     mongoRoles:
     - {role: backup, db: admin}
     - {role: readAnyDatabase, db: admin}
+    subjectAltName:
+      DNS: localhost
+      IP: 127.0.0.1
 
 - name: 'password_protected.pem'
   description: Server cerificate using an encrypted private key.
@@ -270,7 +278,8 @@ certs:
     extendedKeyUsage: [serverAuth]
     authorityKeyIdentifier: issuer
     subjectAltName:
-      DNS: ['localhost', '127.0.0.1']
+      DNS: localhost
+      IP: 127.0.0.1
 
 - name: 'server.pem'
   description: General purpose server certificate file.
@@ -282,7 +291,8 @@ certs:
     extendedKeyUsage: [serverAuth, clientAuth]
     authorityKeyIdentifier: issuer
     subjectAltName:
-      DNS: ['localhost', '127.0.0.1']
+      DNS: localhost
+      IP: 127.0.0.1
 
 - name: 'server_no_subject.pem'
   description: Server certificate with empty Subject, but critical SAN.
@@ -295,7 +305,7 @@ certs:
     authorityKeyIdentifier: issuer
     subjectAltName:
         critical: true
-        DNS: 'localhost'
+        DNS: localhost
         IP: ['127.0.0.1', '::1']
 
 - name: 'server_no_subject_no_SAN.pem'
@@ -312,20 +322,25 @@ certs:
   description: General purpose server certificate with good SANs.
   Subject: {CN: 'Kernel Client Peer Role'}
   extensions:
+    extendedKeyUsage: [serverAuth, clientAuth]
     subjectAltName:
-      DNS: 'localhost'
+      DNS: localhost
       IP: ['127.0.0.1', '::1']
 
 - name: 'server_SAN2.pem'
   description: General purpose server certificate with bad SANs.
   Subject: {CN: 'Kernel Client Peer Role'}
   extensions:
+    extendedKeyUsage: [serverAuth]
     subjectAltName:
-      DNS: ['localhost', '127.0.0.1', '::1']
+      DNS: localhost
+      IP: ['127.0.0.1', '::1']
 
 - name: 'server_no_SAN.pem'
   description: General purpose server certificate with missing SAN.
   Subject: {CN: localhost, title: 'Server no SAN attribute'}
+  extensions:
+    extendedKeyUsage: [serverAuth]
 
 # For tenant migration testing.
 - name: 'rs0.pem'
@@ -337,6 +352,9 @@ certs:
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [serverAuth]
+    subjectAltName:
+      DNS: localhost
+      IP: 127.0.0.1
     authorityKeyIdentifier: issuer
 
 - name: 'rs1.pem'
@@ -348,6 +366,9 @@ certs:
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [serverAuth]
+    subjectAltName:
+      DNS: localhost
+      IP: 127.0.0.1
     authorityKeyIdentifier: issuer
 
 - name: 'rs2.pem'
@@ -359,6 +380,9 @@ certs:
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [serverAuth]
+    subjectAltName:
+      DNS: localhost
+      IP: 127.0.0.1
     authorityKeyIdentifier: issuer
 
 - name: 'tenant_migration_donor.pem'
@@ -677,8 +701,10 @@ certs:
     CN: 'server'
   Issuer: 'rollover_ca.pem'
   extensions:
+    extendedKeyUsage: [serverAuth, clientAuth]
     subjectAltName:
-      DNS: ['localhost', '127.0.0.1']
+      DNS: localhost
+      IP: 127.0.0.1
 
 ###
 # Intermediate
@@ -696,13 +722,20 @@ certs:
   Subject: {CN: 'Server Via Intermediate'}
   Issuer: 'intermediate-ca.pem'
   append_cert: 'intermediate-ca.pem'
+  extensions:
+    extendedKeyUsage: [serverAuth, clientAuth]
+    subjectAltName:
+      DNS: localhost
+      IP: 127.0.0.1
 
 - name: 'server-intermediate-leaf.pem'
   description: Server certificate signed by intermediate CA.
   Subject: {CN: 'Server Leaf Via Intermediate'}
   extensions:
+    extendedKeyUsage: [serverAuth]
     subjectAltName:
-      DNS: ['localhost', '127.0.0.1']
+      DNS: localhost
+      IP: 127.0.0.1
   Issuer: 'intermediate-ca.pem'
 
 - name: 'intermediate-ca-chain.pem'
@@ -729,12 +762,13 @@ certs:
   Subject: {O: 'MongoDB, Inc. (Splithorizon)', CN: 'server'}
   Issuer: 'splithorizon-ca.pem'
   extensions:
+    extendedKeyUsage: [serverAuth, clientAuth]
     subjectAltName:
       DNS:
         - 'localhost'
-        - '127.0.0.1'
         - 'splithorizon1'
         - 'splithorizon2'
+      IP: 127.0.0.1
 
 ###
 # Trusted CA
@@ -747,7 +781,8 @@ certs:
   extensions:
     basicConstraints: {CA: true}
     subjectAltName:
-      DNS: ['localhost', '127.0.0.1']
+      DNS: localhost
+      IP: 127.0.0.1
 
 # trusted-client.pfx created by mkspecial.sh
 - name: 'trusted-client.pem'
@@ -758,8 +793,10 @@ certs:
     passphrase: 'qwerty'
     name: 'trusted-client.pfx'
   extensions:
+    extendedKeyUsage: [clientAuth]
     subjectAltName:
-      DNS: ['localhost', '127.0.0.1']
+      DNS: localhost
+      IP: 127.0.0.1
 
 # trusted-server.pfx created by mkspecial.sh
 - name: 'trusted-server.pem'
@@ -770,8 +807,10 @@ certs:
     passphrase: 'qwerty'
     name: 'trusted-server.pfx'
   extensions:
+    extendedKeyUsage: [serverAuth]
     subjectAltName:
-      DNS: ['localhost', '127.0.0.1']
+      DNS: localhost
+      IP: 127.0.0.1
 
 - name: 'trusted-client-testdb-roles.pem'
   description: Client certificate with X509 role grants via trusted chain.
diff --git a/jstests/ssl/x509/mkcert.py b/jstests/ssl/x509/mkcert.py
index 269120a9af2..45ac802e51c 100755
--- a/jstests/ssl/x509/mkcert.py
+++ b/jstests/ssl/x509/mkcert.py
@@ -17,6 +17,8 @@ import OpenSSL
 import re
 import shutil
 
+import mkdigest
+
 # pylint: disable=protected-access
 OpenSSL._util.lib.OBJ_create(b'1.2.3.45', b'DummyOID45', b'Dummy OID 45')
 OpenSSL._util.lib.OBJ_create(b'1.2.3.56', b'DummyOID56', b'Dummy OID 56')
@@ -37,6 +39,9 @@ MUST_STAPLE_KEY = bytes(MUST_STAPLE_KEY_STR, "utf-8")
 MUST_STAPLE_VALUE_STR = 'DER:30:03:02:01:05' # ASN.1 value: SEQUENCE { INTEGER 0x05 (5 decimal) }
 MUST_STAPLE_VALUE = str(MUST_STAPLE_VALUE_STR).encode('utf-8')
 
+# <= 825 in order to abide by https://support.apple.com/en-us/HT210176. 
+MAX_VALIDITY_PERIOD_DAYS = 824
+
 def glbl(key, default=None):
     """Fetch a key from the global dict."""
     return CONFIG.get('global', {}).get(key, default)
@@ -138,8 +143,7 @@ def set_validity(x509, cert):
         # TODO: Parse human readable dates and/or datedeltas
         not_after = int(not_after)
     else:
-        # Default 20 years hence.
-        not_after = 20 * 365 * 24 * 60 * 60
+        not_after = not_before + MAX_VALIDITY_PERIOD_DAYS * 24 * 60 * 60
     x509.gmtime_adj_notAfter(not_after)
 
 def set_general_dict_extension(x509, exts, cert, name, typed_values):
@@ -507,7 +511,7 @@ def process_client_multivalue_rdn(cert):
     subject = '/CN=client+OU=KernelUser+O=MongoDB/L=New York City+ST=New York+C=US'
     subprocess.check_call(['openssl', 'req', '-new', '-nodes', '-multivalue-rdn', '-subj', subject, '-keyout', key, '-out', csr])
     subprocess.check_call(['openssl', 'rsa', '-in', key, '-out', rsa])
-    subprocess.check_call(['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-CA', ca, '-CAkey', ca, '-days', '3650', '-sha256', '-set_serial', serial])
+    subprocess.check_call(['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-CA', ca, '-CAkey', ca, '-days', str(MAX_VALIDITY_PERIOD_DAYS), '-sha256', '-set_serial', serial])
 
     open(dest, 'wt').write(get_header_comment(cert) + "\n" + open(pem, 'rt').read() + open(rsa, 'rt').read())
     os.remove(key)
@@ -567,7 +571,7 @@ def process_ecdsa_ca(cert):
     subject = '/C=US/ST=New York/L=New York City/O=MongoDB/OU=Kernel/CN=Kernel Test ESCDA CA/'
 
     reqargs = ['openssl', 'req', '-new', '-key', key, '-out', csr, '-subj', subject]
-    x509args = ['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-signkey', key, '-days', '7300', '-sha256', '-set_serial', serial]
+    x509args = ['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-signkey', key, '-days', str(MAX_VALIDITY_PERIOD_DAYS), '-sha256', '-set_serial', serial]
     ecparamargs = (['openssl', 'ecparam', '-name', 'prime256v1', '-genkey', '-out', key, '-noout']
                    if "ocsp" in cert.get('tags', [])
                    else ['openssl', 'ecparam', '-name', 'prime256v1', '-genkey', '-out', key])
@@ -611,7 +615,7 @@ def process_ecdsa_leaf(cert):
     subject = '/C=US/ST=New York/L=New York City/O=MongoDB/OU=' + ou + '/CN=' + mode
 
     reqargs = ['openssl', 'req', '-new', '-key', key, '-out', csr, '-subj', subject]
-    x509args = ['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-CA', ca, '-CAkey', ca, '-days', '7300', '-sha256', '-set_serial', serial]
+    x509args = ['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-CA', ca, '-CAkey', ca, '-days', str(MAX_VALIDITY_PERIOD_DAYS), '-sha256', '-set_serial', serial]
     if mode == 'server':
         reqargs = reqargs + ['-reqexts', 'v3_req']
         extfile = tempfile.mkstemp()[1]
@@ -789,6 +793,9 @@ def main():
     items = sort_items(items)
     for item in items:
         process_cert(item)
+        filename = make_filename(item)
+        mkdigest.make_digest(filename, 'cert', 'sha256')
+        mkdigest.make_digest(filename, 'cert', 'sha1')
 
 if __name__ == '__main__':
     main()
diff --git a/jstests/ssl/x509/mkcrl.sh b/jstests/ssl/x509/mkcrl.sh
index e8c55b3e4c2..89fddb90e2c 100755
--- a/jstests/ssl/x509/mkcrl.sh
+++ b/jstests/ssl/x509/mkcrl.sh
@@ -16,15 +16,18 @@ crl() {
     echo -e "[ CA_default ]\ndatabase = ${CADB}/index.txt\n" >> "$CONFIG"
     echo -e "certificate = $CA\nprivate_key = $CA\ndefault_md = sha256" >> "$CONFIG"
 
-    DAYS="3651"
-    CRLDAYS="3650"
+    VALIDITY_OPTIONS="-days 824 -crldays 823"
     if [ "$2" = "expired" ]; then
-        DAYS="1"
-        CRLDAYS="1"
+        # -enddate 010101000000Z = expires on 0:00:00, Jan 1, 2000. 
+        # -crlsec 1 = valid for 1 second from now. 
+        # i.e. this certificate will be completely invalid very soon.
+        VALIDITY_OPTIONS="-enddate 010101000000Z -crlsec 1"
     elif [ "$2" = "revoked" ]; then
         openssl ca -config "$CADB/config" -revoke "jstests/libs/client_revoked.pem"
     fi
-    openssl ca -config "$CADB/config" -gencrl -out "$DEST" -md sha256 -days "$DAYS" -crldays "$CRLDAYS"
+    openssl ca -config "$CADB/config" -gencrl -out "$DEST" -md sha256 $VALIDITY_OPTIONS
+    jstests/ssl/x509/mkdigest.py crl sha256 "$DEST"
+    jstests/ssl/x509/mkdigest.py crl sha1 "$DEST"
 }
 crl crl.pem empty
 crl crl_expired.pem expired
diff --git a/jstests/ssl/x509/mkdigest.py b/jstests/ssl/x509/mkdigest.py
new file mode 100755
index 00000000000..b9926b48dfa
--- /dev/null
+++ b/jstests/ssl/x509/mkdigest.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+"""
+This script calculates and writes out digests for x509 certificates/CRLs.
+Invoke as `mkdigest.py <cert|crl> <sha256|sha1> <filename1> [filename2 ...]`
+"""
+import argparse
+import OpenSSL
+import cryptography.hazmat.primitives.hashes as hashes
+
+DIGEST_NAME_TO_HASH = {'sha256': hashes.SHA256(), 'sha1': hashes.SHA1()}
+
+def make_digest(filename, item_type, digest_type):
+    """Calculate the given digest of the certificate/CRL passed in and write it out to <filename>.digest.<digest_type>"""
+    assert item_type in {"cert", "crl"}
+    assert digest_type in {"sha256", "sha1"}
+    with open(filename, 'r') as f:
+        data = f.read()
+
+    if item_type == 'cert':
+        cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, data)
+        rawdigest = cert.digest(digest_type)
+        digest = rawdigest.decode('utf8').replace(':', '')
+    elif item_type == 'crl':
+        crl = OpenSSL.crypto.load_crl(OpenSSL.crypto.FILETYPE_PEM, data)
+        rawdigest = crl.to_cryptography().fingerprint(DIGEST_NAME_TO_HASH[digest_type])
+        digest = rawdigest.hex().upper()
+
+    with open(filename + '.digest.' + digest_type, 'w') as f:
+        f.write(digest)
+
+def main():
+    parser = argparse.ArgumentParser(description='X509 Digest Generator')
+    parser.add_argument('type', choices={"cert", "crl"}, help='Type of X509 object to generate digest for')
+    parser.add_argument('digest', choices={"sha1", "sha256"}, help='Algorithm for digest')
+    parser.add_argument('filename', nargs='+', help='Path of X509 file to generate digest for')
+    args = parser.parse_args()
+
+    for fname in args.filename:
+        make_digest(fname, args.type, args.digest)
+
+if __name__ == '__main__':
+    main()
+\ No newline at end of file
diff --git a/jstests/ssl/x509/root-and-trusted-ca.pem b/jstests/ssl/x509/root-and-trusted-ca.pem
index 219ecf6397d..18882c21d68 100644
--- a/jstests/ssl/x509/root-and-trusted-ca.pem
+++ b/jstests/ssl/x509/root-and-trusted-ca.pem
@@ -2,48 +2,49 @@
 # Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml root-and-trusted-ca.pem
 #
 # Combined ca.pem and trusted-ca.pem
+
 # Certificate from ca.pem
 -----BEGIN CERTIFICATE-----
-MIIDdDCCAlwCBBmRIxIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCVVMxETAP
-BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK
-DAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxFzAVBgNVBAMMDktlcm5lbCBUZXN0
-IENBMB4XDTE5MDkyNTIzMjczOVoXDTM5MDkyNzIzMjczOVowdDELMAkGA1UEBhMC
-VVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAw
-DgYDVQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxFzAVBgNVBAMMDktlcm5l
-bCBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAupVkx8+n
-AqzsANKwNPeCYlf2q0WgF4kSUMNJdpmMelrr7hh7EOnAU0hTAQx9BKTEbExeCzH6
-OArFNGjewjWVXwaOpCjK8FMvK6/lGVEpmoHNF9XuiQVmaQ4bJD6rC73YjpgNIPeL
-5PyoFLEZv+X2cRBPpTcSRcf87tk8HL7v0eyk1JBhkeKK68SYdWwZlHaa1jqwmliW
-WvVMkHVH3lx0VOgQwWtOgs0K1zpcZ0sH5MGpYRQOiidIRZj3PkKeTPQe2D6VQQtv
-2yDs9dWfCxJJP9QiWclL2rF/xqlFSNEIfNZpZhk6I1DHQpA2uyJfzRH62pFasJuB
-CVh5Tr0EDoVreQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
-CwUAA4IBAQARdNCYYWxi2fyhJwzGHwIT261d/pTlOSYLlm84c72aEneFUnfp8/H5
-JjuFbnhiX+5+h3M7eDQhra9s+H3vKr7o38EIVf5OKXvpNLwv1UUmomBvKqccioYh
-bxrfwCzfBRuUmW05kcAVn8iKovqyxL7npEZbckwtT+BqZ4kOL4Uzre+S1HMx0zOu
-xulSYA/sBoJ2BB93ZIAqB+f/+InS9yggzyhhaQqS7QEl1L4nZE4Oy0jKcxdCzysm
-TqiyH+OI5SVRTfXh4XvHmdWBBaQyaTmQzXYUxUi7jg1jEAiebCGrEJv9plwq4KfC
-cze9NLBjaXR3GzonT8kICyVT/0UvhuJg
+MIIDeTCCAmGgAwIBAgIEe9SskzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjIwMTI3MjE1OTQyWhcNMjQwNDMwMjE1OTQyWjB0MQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwO
+S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
+vZIt82obTHnc3iHgUYSc+yVkCHyERF3kdcTTFszDbN9mVPL5ZkH9lIAC3A2rj24T
+pItMW1N+zOaLHU5tJB9VnCnKSFz5CHd/KEcLA3Ql2K70z7n1FvINnBmqAQdgPcPu
+Et2rFgGg3atR3T3bV7ZRlla0CcoAFl/YoDI16oHRXboxAtoAzaIwvS6HUrOYQPYq
+BLGt00Wws4bpILk3b04lDLEHmzDe6N3/v3FgBurPzR2tL97/sJGePE94I833hYG4
+vBdU0Kdt9FbTDEFOgrfRCisHyZY6Vw6rIiWBSLUBCjtm2vipgoD0H3DvyZLbMQRr
+qmctCX4KQtOZ8dV3JQkNAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAJnz4lK9GiCWhCXIPzghYRRheYWL8nhkZ+3+oC1B3/mGEf71
+2VOdND6fMPdHinD8jONH75mOpa7TanriVYX3KbrQ4WABFNJMX9uz09F+0A2D5tyc
+iDkldnei+fiX4eSx80oCPgvaxdJWauiTsEi+fo2Do47PYkch9+BDXT9F/m3S3RRW
+cia7URBAV8Itq6jj2BHcpS/dEqZcmN9kGWujVagcCorc0wBKSmkO/PZIjISid+TO
+Db2g+AvqSBDU0lbdP7NXRSIxvZejDz4qMjcpSbhW9OS2BCYZcq5wgH2lwYkdPtmX
+JkhxWKwsW11WJWDcmaXcffO3a6lDizxyjnTedoU=
 -----END CERTIFICATE-----
 # Certificate from trusted-ca.pem
 -----BEGIN CERTIFICATE-----
-MIIDojCCAooCBG585gswDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxETAP
-BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK
-DAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxHzAdBgNVBAMMFlRydXN0ZWQgS2Vy
-bmVsIFRlc3QgQ0EwHhcNMTkwOTI1MjMyNzQxWhcNMzkwOTI3MjMyNzQxWjB8MQsw
-CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr
-IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UE
-AwwWVHJ1c3RlZCBLZXJuZWwgVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBANlRxtpMeCGhkotkjHQqgqvO6O6hoRoAGGJlDaTVtqrjmC8nwySz
-1nAFndqUHttxS3A5j4enOabvffdOcV7+Z6vDQmREF6QZmQAk81pmazSc3wOnRiRs
-AhXjld7i+rhB50CW01oYzQB50rlBFu+ONKYj32nBjD+1YN4AZ2tuRlbxfx2uf8Bo
-Zowfr4n9nHVcWXBLFmaQLn+88WFO/wuwYUOn6Di1Bvtkvqum0or5QeAF0qkJxfhg
-3a4vBnomPdwEXCgAGLvHlB41CWG09EuAjrnE3HPPi5vII8pjY2dKKMomOEYmA+KJ
-AC1NlTWdN0TtsoaKnyhMMhLWs3eTyXL7kbkCAwEAAaMxMC8wDAYDVR0TBAUwAwEB
-/zAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTANBgkqhkiG9w0BAQsF
-AAOCAQEAQk56MO9xAhtO077COCqIYe6pYv3uzOplqjXpJ7Cph7GXwQqdFWfKls7B
-cLfF/fhIUZIu5itStEkY+AIwht4mBr1F5+hZUp9KZOed30/ewoBXAUgobLipJV66
-FKg8NRtmJbiZrrC00BSO+pKfQThU8k0zZjBmNmpjxnbKZZSFWUKtbhHV1vujver6
-SXZC7R6692vLwRBMoZxhgy/FkYRdiN0U9wpluKd63eo/O02Nt6OEMyeiyl+Z3JWi
-8g5iHNrBYGBbGSnDOnqV6tjEY3eq600JDWiodpA1OQheLi78pkc/VQZwof9dyBCm
-6BoCskTjip/UB+vIhdPFT9sgUdgDTg==
+MIIDojCCAoqgAwIBAgIEclbQATANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UEAwwWVHJ1c3Rl
+ZCBLZXJuZWwgVGVzdCBDQTAeFw0yMjAxMjcyMTU5NDhaFw0yNDA0MzAyMTU5NDha
+MHwxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3
+IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMR8w
+HQYDVQQDDBZUcnVzdGVkIEtlcm5lbCBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA8h+5axgTodw8KmHz/rcPcy2N/etFkipOVL0i3Ug6JcKk
+DjuSIdyLULuIQlR8nXWQ3hW9CZ2gDCeSnmnUKY6GWDQPHoSUJPhmGkXPuPBXivcL
+QpLVZeOHrqR4+SHzOA3317LF/QYm9kC3dEZIz+dWUlTHs4NFwR+Yo84XNosSGaUh
+o0mK5YcBx0W7y82rNrijcygOkXF9QrANUZfUz5uQ/ZPDjgoISqFvgMzJtpL6LqSC
+TbsUM4NbPSYECDFzIosO+rhYCUsgZ5pE6NWZjmKzq4+zeb/2iSIoEb7U/5f6i4H4
+880y+usrcsBuNCS1OVHaEB1ZrlinJbzplB3nV9Hj1wIDAQABoywwKjAMBgNVHRME
+BTADAQH/MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF
+AAOCAQEArn+KmfD2JEXa0G81jY+v1+XBT4BCcFExbdpOYbIoo2m0Qvx+sla5+Qu7
+nG51R+3rnkVPr03ogKYtf3hYtQJk6DqfuF0V9ESYkz09XRwyW93mh3z4yumXnk3y
+d6SG2quC6iJV0EqT/OnmmveGBpxaBjf80ezRq+8t0mVGeNwZSxv0OprAkmKIIDM8
+Qa1/LlGhStiU+hN62c3m4wHdY5jreRYH7NyIZCHJ/wKgo0cDWWdJ4MeAaQhuijUI
+BaNg6mFHlxVMMRGIGSduUhu7vHzjbAES6kJxdIpDM8tZMlRZQ3ORml5s9onSMb2n
+NmJkjwyB62odD+yrygWRLtFMJmKODQ==
 -----END CERTIFICATE-----
diff --git a/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha1 b/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha1
new file mode 100644
index 00000000000..dbe9e3898af
--- /dev/null
+++ b/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha1
@@ -0,0 +1 @@
+F42B9419C2EF9D431D7C0E5061A82902D385203A
+\ No newline at end of file
diff --git a/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha256 b/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha256
new file mode 100644
index 00000000000..2cffe1b5da9
--- /dev/null
+++ b/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha256
@@ -0,0 +1 @@
+21A1C6A87B31AF590F5074EE716F193522B8F540081A5D571B25AE5DF72863E3
+\ No newline at end of file
diff --git a/jstests/ssl/x509/trusted-client-testdb-roles.pem b/jstests/ssl/x509/trusted-client-testdb-roles.pem
index 858ae8a773a..6868581d6ca 100644
--- a/jstests/ssl/x509/trusted-client-testdb-roles.pem
+++ b/jstests/ssl/x509/trusted-client-testdb-roles.pem
@@ -3,53 +3,53 @@
 #
 # Client certificate with X509 role grants via trusted chain.
 -----BEGIN CERTIFICATE-----
-MIIDwzCCAqugAwIBAgIEQvQH6zANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJV
+MIIDwzCCAqugAwIBAgIEIEan5jANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJV
 UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
 BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UEAwwWVHJ1c3Rl
-ZCBLZXJuZWwgVGVzdCBDQTAeFw0yMDAxMDcxNzMxNDhaFw00MDAxMDkxNzMxNDha
+ZCBLZXJuZWwgVGVzdCBDQTAeFw0yMjAxMjcyMTU5NDhaFw0yNDA0MzAyMTU5NDha
 MIGRMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5l
 dyBZb3JrIENpdHkxEDAOBgNVBAoMB01vbmdvREIxFTATBgNVBAsMDEtlcm5lbCBV
 c2VyczEuMCwGA1UEAwwlVHJ1c3RlZCBLZXJuZWwgVGVzdCBDbGllbnQgV2l0aCBS
-b2xlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPgWO/0KXHIk0KH/
-jePx+uC8M34bx8ncAWvUXKZtaNGkv2+LI0k/1U5ybOTD8kg8tnIMYkquuuG2zeIB
-99vq2Ve+3j62PlqR4HDzXTt3M3eYp6muRzNn78yxVRn+eiIrdwbnvr28l3ikUaVV
-/u9fsHGZOXto+I6tWSWB7MNEVcPtIu2d8XU2gMrqKfpnG0paUKVWkaKyjUX1DsBL
-FUybBbjQj0zK5cUeKoZjSmMtRfqV6ngKmOK4xTBsQ2VKi7AntpALq/knAYU8BaqS
-wWbVuj5sJX86tdRGGhZ6QKIODTQENPprFaJhy34qrhRkD+YHy7tQ+7vc1JpGodiu
-C7/5K+kCAwEAAaM3MDUwMwYLKwYBBAGCjikCAQEEJDEiMA8MBXJvbGUxDAZ0ZXN0
-REIwDwwFcm9sZTIMBnRlc3REQjANBgkqhkiG9w0BAQsFAAOCAQEAlYR0WB/0yHxM
-gvS+hjxQWyRFOJdWcFn0xresIBd4PmQO8cnOz8iuFrg8DKnYroBRFp5tR9VSLFpq
-EH5xoEUMYEAGryYNp8jjOqxy6lIFUZIOf5Li0CtnnV2qHqsiq0kLpSEt+SbpGXtt
-zS1CkgKwj0VMXwl+3HY73Xj6EVUPqqMf+Frc68S0ey1S7+pgr1fHzFN309tcGt4r
-uxDsSAvYJcYTYDj4KaycXovUsIq+kB+E+k5DnbwJYqHErx2r86QCasK9QIE2Eujl
-t+sBpj8JIObPdpsxEiQ9r1+lurWhyEB4qrtI8fzys/0yHP+EYvra3+HftHXY/t32
-jZ79J4C3YQ==
+b2xlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOpl8u+oSvvW1n2Q
+6+XzknlDB1C0zd8ztNiTjOdSD0Nv4OHQX++ft+t3ZFCKq5GM61LcDKoa6tKr3QXf
+lnHl1Ywz0swOXJ1L/FJuyM4FugSCpcWrD/zMPylrxTGWGW5YiiiwBvzh6ZZ40dVM
+VlP3oXcbl96/7EufJNYRYJVOQxMw+T4elZCC4J/keMb33daluwckouOSmOrQu9lx
+8croX81+uHUiHuTLH5XlIlLi/Z8BjuPwXt5JSxmHnc4cBhAC1fHjEDr/u85vfdTe
+5tn2PIdA9o5dOsU+IqNbvdW5KZ74G44QlRyGr8roj1SwHfIHvNZDYxrC2uXhOKoK
+1tRv11UCAwEAAaM3MDUwMwYLKwYBBAGCjikCAQEEJDEiMA8MBXJvbGUxDAZ0ZXN0
+REIwDwwFcm9sZTIMBnRlc3REQjANBgkqhkiG9w0BAQsFAAOCAQEAaEL9nJI66Qec
+7KnKysAi/uaEKIajs86bnb/nkUQJxDSEOb/YDi41LQ2D2+MX52b26GD4rUAHvkjU
+hHzCHprc2mgjWm0J7jCY8dlqj7ka9g5SWi56gDRfjSjuAOV93+Q4Ty/kAFLBIy8H
+z0v7ed+a14i6NHqAmZAXVx61zI6nZgDhN8kcuvJICQKTWk8rVp9Cv/OhntIJgU7z
+Lqqdn7eSOnwYllVG18dsQHOea6f6aCicbLDZgbSOnSPowhxMaPiIfq+WXXo1YiPl
+kRHxE9OVYuGaT7qTQoda/SNfotRNJ6ApbGZLjtCr3mVA0LoK8e2HWFmNqRIUUx37
+zecLCwDx3g==
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQD4Fjv9ClxyJNCh
-/43j8frgvDN+G8fJ3AFr1FymbWjRpL9viyNJP9VOcmzkw/JIPLZyDGJKrrrhts3i
-Affb6tlXvt4+tj5akeBw8107dzN3mKeprkczZ+/MsVUZ/noiK3cG5769vJd4pFGl
-Vf7vX7BxmTl7aPiOrVklgezDRFXD7SLtnfF1NoDK6in6ZxtKWlClVpGiso1F9Q7A
-SxVMmwW40I9MyuXFHiqGY0pjLUX6lep4CpjiuMUwbENlSouwJ7aQC6v5JwGFPAWq
-ksFm1bo+bCV/OrXURhoWekCiDg00BDT6axWiYct+Kq4UZA/mB8u7UPu73NSaRqHY
-rgu/+SvpAgMBAAECggEALVaa5fajyHRz8HcsrjDF4ZZjbrOTApADbnpj6EJseou6
-NJ9f9n4E9I4y2mf4+jymNxeOSwm9u4xV+ezUKEu2JrQKF7nkkVbBhsLjEgAJ1tx+
-H6Nq/bkL+QObguGf3mjFGuz1TeWOZQzaovWhXovFSi1vdN9NNX32ocUpyNHPPrvW
-nc3Gun/hws4qWwBFpR+8fzMHPJc/NCwZpDRoJl0yXEAkGTKtIEGEJ7tlWLSb5Bz2
-5N0Dkn2S3t8uozPIuv0rjdYd1t+FfOUUAZGI09LCIu9ndBYO6Vj+Vh99xedZ2oBa
-9lHQp3vhLaCXg7O3bY3ac9BIOwdAqcbWAJV/oQl5gQKBgQD90geToF81xZYgLZoU
-iU8RRUSmdurZtNirDkMU+/u5Fwu7yn8M53l++TPP76Hi1yGP9803LwIXNXfyg+sb
-BRAPJg+bJ8N6m1vFdfg509oqlrzoxnmulwBshqt5HbpiOjYAc1cSOpYSXGJjHoFL
-+Au4MRsfDh5RhT1zrUT11+6ZEQKBgQD6N5nGaPOsLHdYXk2//yZF1Ol9kl3L0VWM
-XT0F9m/KSCg1kSf+2XCt1U/b1JsrjMTOZWVHNV3yebPs9/pR2ffmyeXtySFuEVeb
-ZVNSxaCSVVbTJL9W+mpXdqzcTj9IL9tMN6J5PE8eQ6pjG299sBmdj5S92a3uoxQr
-5RmGn36lWQKBgQCix4XQaXNmGteSv2wna3/nxZKnZ3BqOo8R9M2UsZ3YMC14O/+L
-GRBUHCHcYwRhZDLED9nuYBlpJQNN5shqxa5s6K3thWzaPrR2SJfvDizGT3HLny3+
-iBzffOaPgD8+K7LiSxY2PJhuIg1/H9swC14IvIV2Pym2gkrM2vx05gzA4QKBgQCW
-FmngEK4xVY7U6+Q5SYQcmSThVL18d3mYM4laHUNbE8NCtmpGPQmQzAYV98aH7e1T
-XJDOkN1kh8n8V5bIKDXCMtL/ugiabD6fkLzVRoQVoqjtB/rZ4mWNRztS/oCI/WPO
-qQSFMj7HCZGX1yoeO1ZyI2D2LC9fmGSOG+Me1Gb0KQKBgQCZazY6Wb7HPO50HnN3
-e3QrT9VE1PKLW6dWpokdYzq2ISnX8ZBeKvMBX+TpKASduNVXK5shsuNqjMAeXtVk
-V90P2QkgswCoUlgiaxKby7jBqDIO9CsLt0erQ328WUsf9mgk18CmCc42EWBPuQv7
-WTykB3JVLPGKjKcZVI4PP91yAw==
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDqZfLvqEr71tZ9
+kOvl85J5QwdQtM3fM7TYk4znUg9Db+Dh0F/vn7frd2RQiquRjOtS3AyqGurSq90F
+35Zx5dWMM9LMDlydS/xSbsjOBboEgqXFqw/8zD8pa8UxlhluWIoosAb84emWeNHV
+TFZT96F3G5fev+xLnyTWEWCVTkMTMPk+HpWQguCf5HjG993WpbsHJKLjkpjq0LvZ
+cfHK6F/Nfrh1Ih7kyx+V5SJS4v2fAY7j8F7eSUsZh53OHAYQAtXx4xA6/7vOb33U
+3ubZ9jyHQPaOXTrFPiKjW73VuSme+BuOEJUchq/K6I9UsB3yB7zWQ2Mawtrl4Tiq
+CtbUb9dVAgMBAAECggEAXvcfDenpN087Z3QnnuqoFWkKtbALGLsiMfzVwYKFnJTf
+T53UwIi9QzED+32zNS0ayl9M4j41lVT8Hz0O/uZXNo5ogTPwYeo/OEaaJJ49V0Z3
+UzaTK6C0lluLcSOW+hX1I7btndcJhGU+3mQnNa3GRTNwvFaVra20huZTcypaEpOm
+Xxo26QcJFloaMm2n7HAuO756HXd+63SqoQubMQxGFBga76H3ep3WTTgFR6VBejfb
+brdXwT0/uS/0rQ9hkcs/RFfqZqsI8ADXhqhu7aO1+xu5cdzGN6Oa6NKnh3tLX52v
+MQxurnWBIkZNKEczqfVwGWSnwdTlymS11ohleOGrAQKBgQD57xw9fU1VjZ5u4d7Q
+IYQTcBGEf4EHzmJNcXmvz5U98UmrVCuH0TGgMlUUs4LcdvPBbOhW74cfYXPSDQVF
+Afig77BGCn1o3/6T2VgYBJqf9OAMZC+mnMhEuWUcyCYTwmh8v/qHfuJbcADGtQ5B
+05OXKBkjtrBWTbdekis90mk52QKBgQDwFk/Nq2jkff7q/6HwiBXnphHnvl/QLSJl
+3dgNkICl+7HIVHCe+hhLEG5SlNx0drchFuYH2ZN/MMqeWju2oXgcBZmeULKct5VT
+Hii7B3fOkILPCaVJTDtgYMUHsdZ4j+HG7PsjB8/V8DzdijmKMaYb0ZmJmy01ipBv
+T8+XwvC/3QKBgQCJR4HOcG2yyTe1ldDJpy8hchPdIB+iRwUNnn+FRtKllEuvlGrY
+jdnhMOQ0m6kMKTYYDxbK8YPZg7CXNlmnnr6OvzimMArUOPxe/yl4/8Zih6EsjTbz
+H/iMbvyPw4vOnKDBrL0SAWqZaLq0aixrkafmhbrRN/5BWSyYAFdJ/LGZeQKBgDJt
+LUPQfc6IHDO1j4javGcUPWyEUtGBuVjV+JwYvryeGeAuxBzQAKw7fkCAHbGkgaBE
+k/oQG+e6EsShxSr9zSFtl69l2a4K7SUxD3MBBYvwVFkx+HJlvY7npFqSYq6d4dkL
+S1A3QtL3i4EomB9LgE0Vf/8kBaHaQa3vgHWqrzBNAoGBAKgqghZTroNcX91Mqu0p
+iriLMkiDqJkzehD9XQMhOjMfoGxyMoYFmrvo5UHSOEl6ztMFBwR5j6S8hwDHolXr
+wiz0kqRQwivrHN2O613S0Ruis17cvhe0GfMJs+3fCpN8Hu3Wb3d3O1PZ6khjORTy
+Mo9z1LS8fe+6pqKSMPvL24Jp
 -----END PRIVATE KEY-----
diff --git a/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha1 b/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha1
new file mode 100644
index 00000000000..dd30990811e
--- /dev/null
+++ b/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha1
@@ -0,0 +1 @@
+80AA73D8FFE6C854A357A836C4657D7C03480011
+\ No newline at end of file
diff --git a/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha256 b/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha256
new file mode 100644
index 00000000000..f209638b231
--- /dev/null
+++ b/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha256
@@ -0,0 +1 @@
+C02BAD2324CEB0793749AAF4C01CC35B58525BFE00D683B558B4A6E5BF9C2406
+\ No newline at end of file
diff --git a/jstests/ssl/x509_expiring.js b/jstests/ssl/x509_expiring.js
index 526ffb3ed6d..8b7782d1c5d 100644
--- a/jstests/ssl/x509_expiring.js
+++ b/jstests/ssl/x509_expiring.js
@@ -52,6 +52,9 @@ function test(expiration, expect) {
     MongoRunner.stopMongod(mongo);
 }
 
-test(30, false);
+assert.doesNotThrow(
+    () => test(100, false),
+    [],
+    "If this fails, the server.pem certificate is expiring soon (<= 100 days) -- this is bad! Please file a ticket with the server security team to renew testing certificates.");
 test(7300, true);  // Work so long as certs expire no more than 20 years from now
 })();
diff --git a/jstests/ssl/x509_startup_certificate_info.js b/jstests/ssl/x509_startup_certificate_info.js
index 1c66c74b60b..0fece9c4ce1 100644
--- a/jstests/ssl/x509_startup_certificate_info.js
+++ b/jstests/ssl/x509_startup_certificate_info.js
@@ -15,16 +15,16 @@ const SERVER_CERT_INFO = {
     "type": "Server",
     "subject": "CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US",
     "issuer": "CN=Kernel Test CA,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US",
-    "thumbprint": "BF2E341D28D7CEAADA534A11D75189D4ECABB551"
+    "thumbprint": cat(SERVER_CERT + ".digest.sha1")
 };
 const CLUSTER_CERT_INFO = {
     "type": "Cluster",
     "subject": "CN=clustertest,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US",
     "issuer": "CN=Kernel Test CA,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US",
-    "thumbprint": "FD85F9F6F380EE53F46F497253453731DC885335"
+    "thumbprint": cat(CLUSTER_CERT + ".digest.sha1")
 };
 const CRL_INFO = {
-    "thumbprint": "551FEF8D916CE363E5488AD7F4BD60E3D1EC2BD8"
+    "thumbprint": cat(CRL_FILE + ".digest.sha1")
 };
 
 function runTest(checkMongos,
author	Gabriel Marks <gabriel.marks@mongodb.com>	2022-01-25 18:07:53 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2022-02-03 22:38:30 +0000
commit	58a819a56aadb91e7cd62b8c2e2e493ce85fc0e1 (patch)
tree	b728f0b50a4de4242dbbc7ae14ae6af0f163ef88 /jstests/ssl
parent	d4baf64a2da1a785d428888f3ce047367ccc2a7a (diff)
download	mongo-58a819a56aadb91e7cd62b8c2e2e493ce85fc0e1.tar.gz