SERVER-47051 Investigate OCSP failures on 4.3.4 and on 4.5.0

2 files changed, 21 insertions, 10 deletions

diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml
index f51f7cee79f..ff36cd9d6ad 100644
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@@ -335,6 +335,8 @@ certs:
   Issuer: self
   include_header: false
   output_path: 'jstests/libs/ocsp/'
+  keyfile: 'ca_ocsp.key'
+  crtfile: 'ca_ocsp.crt'
   extensions:
     basicConstraints:
       critical: true
@@ -425,7 +427,7 @@ certs:
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [clientAuth]
 
-- name: 'ocsp_responder.crt'
+- name: 'ocsp_responder.pem'
   description: Certificate and key for the OCSP responder
   Subject:
     CN: 'localhost'
@@ -435,6 +437,7 @@ certs:
   Issuer: 'ca_ocsp.pem'
   include_header: false
   keyfile: 'ocsp_responder.key'
+  crtfile: 'ocsp_responder.crt'
   output_path: 'jstests/libs/ocsp/'
   extensions:
     basicConstraints: {CA: false}
diff --git a/jstests/ssl/x509/mkcert.py b/jstests/ssl/x509/mkcert.py
index a33767efd64..f983967c407 100755
--- a/jstests/ssl/x509/mkcert.py
+++ b/jstests/ssl/x509/mkcert.py
@@ -422,11 +422,21 @@ def create_cert(cert):
         cipher = 'aes256'
 
     header = get_header_comment(cert)
+
+    if bool(cert.get('keyfile', False)) != bool(cert.get('crtfile', False)):
+        raise ValueError("Either include both keyfile and crtfile or neither")
+
     # The OCSP responder certificate needs to have the key and the pem file separated.
-    if cert.get('keyfile', False):
+    # Since there are only a few cases where we need split key and crt files, and since we
+    # sometimes need the unified pem file as well, we can always generate the pem file.
+    if cert.get('keyfile', False) and cert.get('crtfile', False):
         keyfile = cert['keyfile']
+        crtfile = cert['crtfile']
+
         key_path_dict = {'output_path': cert['output_path'], 'name': keyfile}
-        open(make_filename(cert), 'wt').write(
+        crt_path_dict = {'output_path': cert['output_path'], 'name': crtfile}
+
+        open(make_filename(crt_path_dict), 'wt').write(
             header +
             OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii'))
 
@@ -434,12 +444,10 @@ def create_cert(cert):
             header +
             OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key, cipher=cipher, passphrase=passphrase).decode('ascii'))
 
-    else:
-        # OCSP certificates cannot have comments because the Mock OCSP responder cannot process comments in Certificates
-        open(make_filename(cert), 'wt').write(
-            header +
-            OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii') +
-            OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key, cipher=cipher, passphrase=passphrase).decode('ascii'))
+    open(make_filename(cert), 'wt').write(
+        header +
+        OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii') +
+        OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key, cipher=cipher, passphrase=passphrase).decode('ascii'))
 
     if cert.get('pkcs1'):
         convert_cert_to_pkcs1(cert)
@@ -594,7 +602,7 @@ def validate_config():
     if not CONFIG.get('certs'):
         raise ValueError('No certificates defined')
 
-    permissible = ['name', 'description', 'Subject', 'Issuer', 'append_cert', 'extensions', 'passphrase', 'output_path', 'hash', 'include_header', 'key_type', 'keyfile', 'explicit_subject', 'serial', 'not_before', 'not_after', 'pkcs1', 'pkcs12', 'version']
+    permissible = ['name', 'description', 'Subject', 'Issuer', 'append_cert', 'extensions', 'passphrase', 'output_path', 'hash', 'include_header', 'key_type', 'keyfile', 'crtfile', 'explicit_subject', 'serial', 'not_before', 'not_after', 'pkcs1', 'pkcs12', 'version']
     for cert in CONFIG.get('certs', []):
         keys = cert.keys()
         if not 'name' in keys: